Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transp,tls: add TLS client verification #1059

Merged
merged 1 commit into from
Feb 11, 2024

Conversation

maximilianfridrich
Copy link
Contributor

Per default, TLS client verification is disabled.

if (!tls)
return;

tls->verify_client = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps move the bool to the API so that the feature can be turn on and off at any time ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unsure where I would move it. We have to call SSL_set_verify on the SSL object. Ideally, shortly after initializing it. For incoming connections, this happens in the tcp_connect_handler in transp.c and in this context we don't have much information except for the sip_transport which contains the tls struct.

This closely mirrors the approach of verify_server.

Maybe I misunderstood, could you specify where exactly I could move the bool? Or should I add tls_disable_verify_client to be able to disable the feature?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @alfredh is looking for something like this:

void tls_enable_verify_client(struct tls *tls, bool enable) {
	if (!tls)
		return;

	tls->verify_client = enable;
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooh, okay. Done.

@alfredh alfredh added this to the v3.10.0 milestone Jan 29, 2024
@maximilianfridrich maximilianfridrich force-pushed the tls_verify_client branch 2 times, most recently from 87d5743 to 145d663 Compare February 8, 2024 13:34
Per default, TLS client verification is disabled.
@sreimers sreimers merged commit 6680971 into baresip:main Feb 11, 2024
36 checks passed
@maximilianfridrich maximilianfridrich deleted the tls_verify_client branch February 12, 2024 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants