From ce92b693869442b6f0dafb4563145b87afc23b8d Mon Sep 17 00:00:00 2001
From: Automerge script <automerge@asterisk.org>
Date: Wed, 17 Oct 2012 19:26:07 +0000
Subject: [PATCH] Merged revisions 375147 via svnmerge from
 file:///srv/subversion/repos/asterisk/branches/10

................
  r375147 | kmoore | 2012-10-17 13:58:52 -0500 (Wed, 17 Oct 2012) | 15 lines

  Ensure Asterisk fails TCP/TLS SIP calls when certificate checking fails

  When placing a call to a TCP/TLS SIP endpoint whose certificate is not
  signed by a configured CA certificate, Asterisk would issue a warning
  and continue to process the call as if there was not an issue with the
  certificate.  Asterisk now properly fails the call if the certificate
  fails verification or if the certificate does not exist when
  certificate checking is enabled (the default behavior).

  (closes issue ASTERISK-20559)
  Review: https://reviewboard.asterisk.org/r/2163/
  ........

  Merged revisions 375146 from http://svn.asterisk.org/svn/asterisk/branches/1.8
................


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10-digiumphones@375173 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/tcptls.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/main/tcptls.c b/main/tcptls.c
index 37a719afc2..df4e7ad5ea 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -194,11 +194,21 @@ static void *handle_tcptls_connection(void *data)
 				X509 *peer;
 				long res;
 				peer = SSL_get_peer_certificate(tcptls_session->ssl);
-				if (!peer)
-					ast_log(LOG_WARNING, "No peer SSL certificate\n");
+				if (!peer) {
+					ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+					ast_tcptls_close_session_file(tcptls_session);
+					ao2_ref(tcptls_session, -1);
+					return NULL;
+				}
+
 				res = SSL_get_verify_result(tcptls_session->ssl);
-				if (res != X509_V_OK)
+				if (res != X509_V_OK) {
 					ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
+					X509_free(peer);
+					ast_tcptls_close_session_file(tcptls_session);
+					ao2_ref(tcptls_session, -1);
+					return NULL;
+				}
 				if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
 					ASN1_STRING *str;
 					unsigned char *str2;
@@ -225,16 +235,13 @@ static void *handle_tcptls_connection(void *data)
 					}
 					if (!found) {
 						ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
-						if (peer) {
-							X509_free(peer);
-						}
+						X509_free(peer);
 						ast_tcptls_close_session_file(tcptls_session);
 						ao2_ref(tcptls_session, -1);
 						return NULL;
 					}
 				}
-				if (peer)
-					X509_free(peer);
+				X509_free(peer);
 			}
 		}
 		if (!tcptls_session->f)	/* no success opening descriptor stacking */
-- 
2.47.2