transp,tls: add TLS client verification #1059
Conversation
src/tls/openssl/tls.c
Outdated
| if (!tls) | ||
| return; | ||
|
|
||
| tls->verify_client = true; |
There was a problem hiding this comment.
Perhaps move the bool to the API so that the feature can be turn on and off at any time ?
There was a problem hiding this comment.
I am unsure where I would move it. We have to call SSL_set_verify on the SSL object. Ideally, shortly after initializing it. For incoming connections, this happens in the tcp_connect_handler in transp.c and in this context we don't have much information except for the sip_transport which contains the tls struct.
This closely mirrors the approach of verify_server.
Maybe I misunderstood, could you specify where exactly I could move the bool? Or should I add tls_disable_verify_client to be able to disable the feature?
There was a problem hiding this comment.
I think @alfredh is looking for something like this:
void tls_enable_verify_client(struct tls *tls, bool enable) {
if (!tls)
return;
tls->verify_client = enable;
}There was a problem hiding this comment.
Ooh, okay. Done.
maximilianfridrich
force-pushed
the
tls_verify_client
branch
2 times, most recently
from
87d5743
to
145d663
Compare
Per default, TLS client verification is disabled.
maximilianfridrich
force-pushed
the
tls_verify_client
branch
from
145d663
to
8ab0ea7
Compare
Per default, TLS client verification is disabled.