[OpenSIPS-Devel] Verification of TLS certificate hostnames
James Stanley
james at incoherency.co.uk
Fri May 5 13:24:47 UTC 2023
Hi,
OpenSIPS does not currently verify hostnames in TLS certificates.
I've created a PR to add a "verify_hostname" option to tls_mgm, at
<https://github.com/OpenSIPS/opensips/pull/3078> - when the option is
enabled, it makes tls_openssl module ask OpenSSL to verify the
hostname. This is achieved by attaching the associated hostname to the
sockaddr_union and the tcp_connection, otherwise tls_openssl has no way
to know what the hostname is supposed to be.
I wonder if I could get some comments on this. Is it wanted? Is it not
wanted? Is it wanted but you don't like the sockaddr accesses having to
go through the "u" field in "sockaddr_union_struct"? Is it wanted but
you don't like wasting 256 bytes per sockaddr? Is it wanted but you
want it in tls_wolfssl as well?
I'd love to get some feedback on how people feel about this.
Regards,
James Stanley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20230505/93f3e2a0/attachment.html>
More information about the Devel
mailing list