New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] OpenSIPS does not verify hostnames in TLS certificates (?) #3064

Open

jes opened this issue Apr 21, 2023 · 12 comments · May be fixed by #3078

Assignees

Labels

feature request

Contributor

jes commented Apr 21, 2023 •

edited

Loading

OpenSIPS version you are running

version: opensips 3.4.0-dev (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, CC_O0, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 6faf77b
main.c compiled on 14:58:32 Mar 24 2023 with gcc 4.8.5

Describe the bug
When OpenSIPS connects to a TLS server that presents a certificate that does not match its hostname, OpenSIPS thinks the certificate passes validation and allows communication anyway.

There is probably a comparable bug regarding checking client certificates.

To Reproduce

Get OpenSIPS to connect using TLS, with "verify_cert" enabled, to a server that has a good certificate (I did this using uac_registrant, but any method would be fine).
Verify that OpenSIPS successfully connects and sends SIP.
Now get OpenSIPS to connect to exactly the same server but using a hostname that is not in the certificate (e.g. a bare IP address, or something from /etc/hosts - any hostname for that machine is fine)
Observe that OpenSIPS still successfully connects and sends SIP, even though the certificate is not valid without a matching hostname.

Expected behavior

I expected OpenSIPS to reject a certificate when the common name (or subject alternate names) don't match the hostname it is trying to connect to.

Relevant System Logs

OS/environment information

Operating System: CentOS 7
OpenSIPS installation: git
other relevant information:

Additional context

This probably means existing OpenSIPS installations are MITM-able by anyone who can get a valid certificate for any domain (which is everyone).

The text was updated successfully, but these errors were encountered:

jes linked a pull request

that will close this issue

Optional verification of hostnames in TLS certificates #3078

Open

github-actions bot commented May 7, 2023

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions bot added the stale label

Contributor Author

jes commented May 7, 2023

Yes, there is progress here, 2 days ago I submitted a pull request, #3078

stale bot removed the stale label

github-actions bot commented May 23, 2023

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions bot added the stale label

Contributor Author

jes commented May 23, 2023

The bug still exists.

stale bot removed the stale label

github-actions bot commented Jun 8, 2023

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions bot added the stale label

Contributor Author

jes commented Jun 8, 2023

Yes, the bug still exists. I have submitted an alternative implementation that does not require changing everywhere that touches sockaddr_union.

stale bot removed the stale label

github-actions bot commented Jun 24, 2023

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions bot added the stale label

Contributor Author

jes commented Jun 24, 2023

Yes, the bug still exists.

stale bot removed the stale label

github-actions bot commented Jul 10, 2023

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

github-actions bot added the stale label

Contributor Author

jes commented Jul 10, 2023

Yes, the bug still exists & I pushed another commit to my PR today.

stale bot removed the stale label

bogdan-iancu changed the title ~~[BUG] OpenSIPS does not verify hostnames in TLS certificates (?)~~ [FEATURE] OpenSIPS does not verify hostnames in TLS certificates (?)

bogdan-iancu added the feature request label

Member

bogdan-iancu commented Jul 12, 2023

Hi @jes , thanks for the report and work here. I re-labeled this a feature and not bug, as the hostname verification is not a must, actually there are cases where you do not want to be done as may be impossible to have such a setup (it highly depends on what you are using the TLS for, the SIP scenario). Also, as per your patch, the check is optional, not mandatory.
I will dive into this as soon as we are the hop with the 3.4 stable release next week.

bogdan-iancu self-assigned this

Contributor Author

jes commented Jul 20, 2023

Great, thanks Bogdan :) - Looking forward to seeing TLS hostname verification in OpenSIPS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment