Skip Menu |
 

This queue is for tickets about the Net-SIP CPAN distribution.

Report information
The Basics
Id: 120039
Status: resolved
Priority: 0/
Queue: Net-SIP

People
Owner: Nobody in particular
Requestors: richard.carver [...] cloudmont.co.uk
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Net::SIP::SocketPool does not pass certificate to 'receive' callback
Date: Mon, 30 Jan 2017 11:21:40 +0000
To: "bug-Net-SIP [...] rt.cpan.org" <bug-Net-SIP [...] rt.cpan.org>
From: Richard Carver <richard.carver [...] cloudmont.co.uk>
Download (untitled) / with headers
text/plain 811b
When clients authenticate with a certificate then Net::SIP::SocketPool and IO::Socket::SSL check that it is valid but do not pass it up the chain to the application to use for further logic. This patch adds the peer certificate into the 'from' hash so that it can be used by the 'receive' callback. *** /usr/local/share/perl5/Net/SIP/SocketPool.pm.orig Mon Jan 30 06:03:53 2017 --- /usr/local/share/perl5/Net/SIP/SocketPool.pm Mon Jan 30 05:48:10 2017 *************** sub _handle_read_tcp_co { *** 540,545 **** --- 540,546 ---- invoke_callback($self->{cb},$pkt, { %{ ip_sockaddr2parts($from) }, proto => $self->{tls} ? 'tls' : 'tcp', + $self->{tls} ? (cert => $fo->{fd}->peer_certificate) : (), }); # continue with processing any remaining data in the buffer
Download (untitled) / with headers
text/plain 878b
Am Mo 30. Jan 2017, 06:21:56, richard.carver@cloudmont.co.uk schrieb: Show quoted text
> When clients authenticate with a certificate then Net::SIP::SocketPool > and IO::Socket::SSL check that it is valid but do not pass it up the > chain to the application to use for further logic. > This patch adds the peer certificate into the 'from' hash so that it > can be used by the 'receive' callback.
Thanks for providing the patch but currently I'm not sure if I want to apply it in this form. While it might fit your unknown use case it might be insufficient for other use cases, for example because it only provides the leaf certificate but not any intermediate certificates the client might have sent. And even this might not be enough if one likes to add OCSP checks or similar. Could you please detail your specific use case so that I could include it in a possible change? Regards, Steffen
Subject: RE: [rt.cpan.org #120039] Net::SIP::SocketPool does not pass certificate to 'receive' callback
Date: Tue, 31 Jan 2017 09:22:04 +0000
To: "bug-Net-SIP [...] rt.cpan.org" <bug-Net-SIP [...] rt.cpan.org>
From: Richard Carver <richard.carver [...] cloudmont.co.uk>
Download (untitled) / with headers
text/plain 916b
You make a good point about the intermediate certificates. My application sits between 2 systems that don't want to talk to each other, reformatting SIP packets from each so they are acceptable to the other. Both systems use the same sip domain so I cannot route based on URI. I cannot use IP addresses to determine which system is which as one does not publish a list of their IP addresses and they can change without warning. However the systems do use SSL with client certificates so I can use the subject in the client certificate to determine the source, log and drop unwanted packets, and route authorized packets to the other system. My immediate requirement is therefore just for the CN. This is what I am using in my application based on the patch I submitted: my $cn = Net::SSLeay::X509_NAME_get_text_by_NID( Net::SSLeay::X509_get_subject_name( $from->{cert} ), Net::SSLeay::NID_commonName());
Download (untitled) / with headers
text/plain 196b
The next version will include the socket object in the callback so that any information like the leaf certificate or the chain certificates can be queried from this object. See commit def93d51.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.