<p>CRL (Certificate Revocation List) based verification was added to the proto tls module. User is able to configure a directory which contains multiple CRL files. The proto tls module parses the directory and adds the given CRL files to the SSL context [the config script option: modparam("proto_tls", "crl_dir", "/home/chifor/work/Opensips/build/etc/opensips/tls/")]. <br>
Also the user can enable beside the client certificate verification, the chain certificates verification (all the certificates given in the "ca_list" script parameter are verified against the given CRL files) [the config script option: modparam("proto_tls", "crl_check_all", "1")]. By default the "crl_check_all" is 0(disabled), meaning that only the client certificate is verified against the CRLs.<br>
Also were introduced two new script variables: tls_peer_subject_serial and tls_my_subject_serial. These script variables extract the serial number field from the certificate CN: (CN=opensips_user/serialNumber=129/emailAddress=<a href="mailto:opensips_user@opensips.com">opensips_user@opensips.com</a>). These variables could be used in a post-TLS authorization scenario. The serial number from the certificate CN is specified by the OpenSSL NID_serialNumber.</p>
<hr>
<h4>You can view, comment on, or merge this pull request online at:</h4>
<p> <a href='https://github.com/OpenSIPS/opensips/pull/613'>https://github.com/OpenSIPS/opensips/pull/613</a></p>
<h4>Commit Summary</h4>
<ul>
<li>Add CRL (Certificate Revocation List) verification for TLS</li>
<li>Extract serial number from certificate subject (TLS module)</li>
</ul>
<h4>File Changes</h4>
<ul>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-0">modules/proto_tls/proto_tls.c</a>
(100)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-1">modules/proto_tls/tls_config.c</a>
(2)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-2">modules/proto_tls/tls_config.h</a>
(1)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-3">modules/proto_tls/tls_domain.c</a>
(1)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-4">modules/proto_tls/tls_domain.h</a>
(2)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-5">modules/proto_tls/tls_params.c</a>
(27)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-6">modules/proto_tls/tls_params.h</a>
(4)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-7">modules/proto_tls/tls_select.c</a>
(2)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/613/files#diff-8">modules/proto_tls/tls_select.h</a>
(3)
</li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a href='https://github.com/OpenSIPS/opensips/pull/613.patch'>https://github.com/OpenSIPS/opensips/pull/613.patch</a></li>
<li><a href='https://github.com/OpenSIPS/opensips/pull/613.diff'>https://github.com/OpenSIPS/opensips/pull/613.diff</a></li>
</ul>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/pull/613">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOcibWG7GUoEp6tEjMVDjU9cjKc0A10ks5oq0hNgaJpZM4FxJu8.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="https://github.com/OpenSIPS/opensips/pull/613"></link>
<meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>