Merged revisions 375147 via svnmerge from

file:///srv/subversion/repos/asterisk/branches/10

................
  r375147 | kmoore | 2012-10-17 13:58:52 -0500 (Wed, 17 Oct 2012) | 15 lines

  Ensure Asterisk fails TCP/TLS SIP calls when certificate checking fails

  When placing a call to a TCP/TLS SIP endpoint whose certificate is not
  signed by a configured CA certificate, Asterisk would issue a warning
  and continue to process the call as if there was not an issue with the
  certificate.  Asterisk now properly fails the call if the certificate
  fails verification or if the certificate does not exist when
  certificate checking is enabled (the default behavior).

  (closes issue ASTERISK-20559)
  Review: https://reviewboard.asterisk.org/r/2163/
  ........

  Merged revisions 375146 from http://svn.asterisk.org/svn/asterisk/branches/1.8
................

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10-digiumphones@375173 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/tcptls.c b/main/tcptls.c
index 37a719afc2cfbdf9d4ad2dc11bb13b6ef8750156..df4e7ad5ea13a84178a1465069ec751932e27301 100644 (file)
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -194,11 +194,21 @@ static void *handle_tcptls_connection(void *data)
                                X509 *peer;
                                long res;
                                peer = SSL_get_peer_certificate(tcptls_session->ssl);
-                               if (!peer)
-                                       ast_log(LOG_WARNING, "No peer SSL certificate\n");
+                               if (!peer) {
+                                       ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+                                       ast_tcptls_close_session_file(tcptls_session);
+                                       ao2_ref(tcptls_session, -1);
+                                       return NULL;
+                               }
+
                                res = SSL_get_verify_result(tcptls_session->ssl);
-                               if (res != X509_V_OK)
+                               if (res != X509_V_OK) {
                                        ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
+                                       X509_free(peer);
+                                       ast_tcptls_close_session_file(tcptls_session);
+                                       ao2_ref(tcptls_session, -1);
+                                       return NULL;
+                               }
                                if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
                                        ASN1_STRING *str;
                                        unsigned char *str2;
@@ -225,16 +235,13 @@ static void *handle_tcptls_connection(void *data)
                                        }
                                        if (!found) {
                                                ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
-                                               if (peer) {
-                                                       X509_free(peer);
-                                               }
+                                               X509_free(peer);
                                                ast_tcptls_close_session_file(tcptls_session);
                                                ao2_ref(tcptls_session, -1);
                                                return NULL;
                                        }
                                }
-                               if (peer)
-                                       X509_free(peer);
+                               X509_free(peer);
                        }
                }
                if (!tcptls_session->f) /* no success opening descriptor stacking */