Changes between Version 2 and Version 3 of Ticket #1032


Ignore:
Timestamp:
Feb 11, 2010 4:46:44 PM (12 years ago)
Author:
nanang
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1032 – Description

    v2 v3  
    11Issues: 
     2 
    23 - Domain name verification, IETF RFC draft could be found [http://tools.ietf.org/html/draft-ietf-sip-domain-certs-04 here]. 
    34 - Add callback in PJSUA-LIB to notify transport state (e.g. transport is connected or disconnected). There are several use cases for this: 
     
    56   - application can inspect TLS connection/verification error and reconfigure TLS transport respectively (for example, to disable domain verification if TLS connection fails due to certificate error (perhaps after asking for user confirmation)) 
    67 
     8 
     9Specifications: 
     10   
     11 - Verification in SSL socket: 
     12   - If {{{verify_peer}}} is set, SSL socket will stop the SSL session whenever there is any error occurred in the verification. 
     13   - If {{{verify_peer}}} is not set, SSL socket will ignore any error in verification and continue establishing SSL handshake. Application may do the verification in on_connect_complete() callback by inspecting SSL socket info. 
     14   - On both cases, the application may inspect the verification result in the SSL socket info. 
     15   - The verification result in SSL socket info should show all verification errors, for example when remote certificate is expired and untrusted, the verification result should show both errors. 
     16   - As domain name verification rules may vary among applications (e.g: SIP requires exact match and allows SIP URI identity, while HTTP allows wildcard, '*' and doesn't not say anything about URI identity), domain name verification is in application level and the SSL socket will just provide remote identities parsed from remote certificate, i.e: subjectAltName extension and subject common name. 
     17 
     18 - Verification in SIP TLS transport: 
     19   - Add destination host name into {{{pjsip_tx_data}}}. The TLS transport will use it to get the server name for TLS verification. 
     20   - Introduce a new SIP transport callback to notify transport states, i.e: connected, disconnected, and TLS verification errors. 
     21   - Add verification step, domain name verification, and add this to verification status of SSL socket info. 
     22   - If {{{verify_server/client}}} is set, TLS transport will disconnect the transport and notify the application via the new callback whenever there is any TLS verification error. 
     23   - If {{{verify_server/client}}} is not set, TLS transport will just notify the application via the new callback, the return value of the callback will be used to decide whether transport should be shutdown (or application must always shutdown the transport when returning PJ_FALSE?).