Bug #120039 for Net-SIP: Net::SIP::SocketPool does not pass certificate to 'receive' callback

Mon Jan 30 06:21:56 2017 richard.carver [...] cloudmont.co.uk - Ticket created

Subject:	Net::SIP::SocketPool does not pass certificate to 'receive' callback
Date:	Mon, 30 Jan 2017 11:21:40 +0000
To:	"bug-Net-SIP [...] rt.cpan.org" <bug-Net-SIP [...] rt.cpan.org>
From:	Richard Carver <richard.carver [...] cloudmont.co.uk>

When clients authenticate with a certificate then Net::SIP::SocketPool and IO::Socket::SSL check that it is valid but do not pass it up the chain to the application to use for further logic. This patch adds the peer certificate into the 'from' hash so that it can be used by the 'receive' callback. *** /usr/local/share/perl5/Net/SIP/SocketPool.pm.orig Mon Jan 30 06:03:53 2017 --- /usr/local/share/perl5/Net/SIP/SocketPool.pm Mon Jan 30 05:48:10 2017 *************** sub _handle_read_tcp_co { *** 540,545 **** --- 540,546 ---- invoke_callback($self->{cb},$pkt, { %{ ip_sockaddr2parts($from) }, proto => $self->{tls} ? 'tls' : 'tcp', + $self->{tls} ? (cert => $fo->{fd}->peer_certificate) : (), }); # continue with processing any remaining data in the buffer

Tue Jan 31 03:54:33 2017 Steffen_Ullrich [...] genua.de - Correspondence added

Am Mo 30. Jan 2017, 06:21:56, richard.carver@cloudmont.co.uk schrieb: Show quoted text

> When clients authenticate with a certificate then Net::SIP::SocketPool > and IO::Socket::SSL check that it is valid but do not pass it up the > chain to the application to use for further logic. > This patch adds the peer certificate into the 'from' hash so that it > can be used by the 'receive' callback.

Thanks for providing the patch but currently I'm not sure if I want to apply it in this form. While it might fit your unknown use case it might be insufficient for other use cases, for example because it only provides the leaf certificate but not any intermediate certificates the client might have sent. And even this might not be enough if one likes to add OCSP checks or similar. Could you please detail your specific use case so that I could include it in a possible change? Regards, Steffen

Tue Jan 31 03:54:34 2017 The RT System itself - Status changed from 'new' to 'open'

Tue Jan 31 14:58:27 2017 richard.carver [...] cloudmont.co.uk - Correspondence added

Subject:	RE: [rt.cpan.org #120039] Net::SIP::SocketPool does not pass certificate to 'receive' callback
Date:	Tue, 31 Jan 2017 09:22:04 +0000
To:	"bug-Net-SIP [...] rt.cpan.org" <bug-Net-SIP [...] rt.cpan.org>
From:	Richard Carver <richard.carver [...] cloudmont.co.uk>

You make a good point about the intermediate certificates. My application sits between 2 systems that don't want to talk to each other, reformatting SIP packets from each so they are acceptable to the other. Both systems use the same sip domain so I cannot route based on URI. I cannot use IP addresses to determine which system is which as one does not publish a list of their IP addresses and they can change without warning. However the systems do use SSL with client certificates so I can use the subject in the client certificate to determine the source, log and drop unwanted packets, and route authorized packets to the other system. My immediate requirement is therefore just for the CN. This is what I am using in my application based on the patch I submitted: my $cn = Net::SSLeay::X509_NAME_get_text_by_NID( Net::SSLeay::X509_get_subject_name( $from->{cert} ), Net::SSLeay::NID_commonName());

Tue Mar 14 05:01:49 2017 Steffen_Ullrich [...] genua.de - Correspondence added

The next version will include the socket object in the callback so that any information like the leaf certificate or the chain certificates can be queried from this object. See commit def93d51.

Tue Mar 14 05:01:54 2017 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'