Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-3071

mod_sofia improvements to expose more TLS options

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Patch
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mod_sofia
    • Labels:
      None
    • CPU Architecture:
      x86
    • Kernel:
      Linux
    • Userland:
      GNU/Linux
    • Compiler:
      gcc
    • FreeSWITCH GIT Revision:
      head
    • GIT Master Revision hash::
      yes

      Description

      TLS support in mod_sofia works great but right now there are some important TLS options not exposed.
      The main patch (sofia_tls_extra_options.patch) exposes a few options, the most important of which is tls-verify-policy to allow certificate validation. Without this using freeswitch to connect to TLS gateways is vulnerable to MITM attacks unless the remote gateway is validating client certificates.

      Also allows control over if certificate dates are inforced, the max verify depth, and the ability to only bind on the TLS port rather than requiring an unencrypted sofia profile. This exposes most of the core TLS options except for the verify_subjects option, which could be done but was a bit more complex and probably less frequently used so left off. The tls-no-verify-date would be probably better named tls-verify-date, but used the negative so if it ended up in someones config without a value it would still behave properly.

      There are two additional patches attached to the ticket, an upstream patch to backport passphrase support (would be useful to allow storing of passphrases not just in hard configs but via some of the other config providers) and then a patch to add the passphrase support as another tls option on top of the main patch.

        Attachments

          Activity

            People

            • Assignee:
              anthm Anthony Minessale II
              Reporter:
              mitch.capper Mitch Capper
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: