Skip to content
Snippets Groups Projects
Commit 9e053207 authored by Guillaume Roguez's avatar Guillaume Roguez
Browse files

tls: revert anonymous certificate exchange

If an encrypted packet used during the encrypted
handshake steps to initialize a secure channel with a peer
is re-ordered due to the network, gnutls is not able to
process the handshake correctly.
This prevents any calls to be established
(SIP channel goes over such connection).

This patch reverts the anonymous handshake to let only
the non-encrypted certificate exchange system.
This is less anonymous as certificates are exchanged in
plain-text format.

The revert consisting to add an option to enable or not the
anonymous certificate exchange. This option is set to false
(non-enabled) by default.

Now, TLS 1.3 should resolve this situation.
So it's not a definitive patch.

Change-Id: I3214efae1b69e44967a67a628cc690d8e95c9e40
Tuleap: #572
parent 8ea35fbb
No related branches found
No related tags found
No related merge requests found
...@@ -149,11 +149,12 @@ private: ...@@ -149,11 +149,12 @@ private:
}; };
TlsSession::TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id, TlsSession::TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id,
const TlsParams& params, const TlsSessionCallbacks& cbs) const TlsParams& params, const TlsSessionCallbacks& cbs, bool anonymous)
: socket_(new IceSocket(ice, ice_comp_id)) : socket_(new IceSocket(ice, ice_comp_id))
, isServer_(not ice->isInitiator()) , isServer_(not ice->isInitiator())
, params_(params) , params_(params)
, callbacks_(cbs) , callbacks_(cbs)
, anonymous_(anonymous)
, cacred_(nullptr) , cacred_(nullptr)
, sacred_(nullptr) , sacred_(nullptr)
, xcred_(nullptr) , xcred_(nullptr)
...@@ -295,6 +296,7 @@ TlsSession::commonSessionInit() ...@@ -295,6 +296,7 @@ TlsSession::commonSessionInit()
{ {
int ret; int ret;
if (anonymous_) {
// Force anonymous connection, see handleStateHandshake how we handle failures // Force anonymous connection, see handleStateHandshake how we handle failures
ret = gnutls_priority_set_direct(session_, TLS_FULL_PRIORITY_STRING, nullptr); ret = gnutls_priority_set_direct(session_, TLS_FULL_PRIORITY_STRING, nullptr);
if (ret != GNUTLS_E_SUCCESS) { if (ret != GNUTLS_E_SUCCESS) {
...@@ -312,6 +314,14 @@ TlsSession::commonSessionInit() ...@@ -312,6 +314,14 @@ TlsSession::commonSessionInit()
RING_ERR("[TLS] anonymous credential set failed: %s", gnutls_strerror(ret)); RING_ERR("[TLS] anonymous credential set failed: %s", gnutls_strerror(ret));
return false; return false;
} }
} else {
// Use a classic non-encrypted CERTIFICATE exchange method (less anonymous)
ret = gnutls_priority_set_direct(session_, TLS_CERT_PRIORITY_STRING, nullptr);
if (ret != GNUTLS_E_SUCCESS) {
RING_ERR("[TLS] TLS priority set failed: %s", gnutls_strerror(ret));
return false;
}
}
// Add certificate credentials // Add certificate credentials
ret = gnutls_credentials_set(session_, GNUTLS_CRD_CERTIFICATE, *xcred_); ret = gnutls_credentials_set(session_, GNUTLS_CRD_CERTIFICATE, *xcred_);
...@@ -532,6 +542,7 @@ TlsSession::handleStateSetup(UNUSED TlsSessionState state) ...@@ -532,6 +542,7 @@ TlsSession::handleStateSetup(UNUSED TlsSessionState state)
RING_DBG("[TLS] Start %s DTLS session", typeName()); RING_DBG("[TLS] Start %s DTLS session", typeName());
try { try {
if (anonymous_)
initAnonymous(); initAnonymous();
initCredentials(); initCredentials();
} catch (const std::exception& e) { } catch (const std::exception& e) {
......
...@@ -132,7 +132,7 @@ public: ...@@ -132,7 +132,7 @@ public:
}; };
TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id, const TlsParams& params, TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id, const TlsParams& params,
const TlsSessionCallbacks& cbs); const TlsSessionCallbacks& cbs, bool anonymous=false);
~TlsSession(); ~TlsSession();
// Returns the TLS session type ('server' or 'client') // Returns the TLS session type ('server' or 'client')
...@@ -165,6 +165,7 @@ private: ...@@ -165,6 +165,7 @@ private:
const bool isServer_; const bool isServer_;
const TlsParams params_; const TlsParams params_;
const TlsSessionCallbacks callbacks_; const TlsSessionCallbacks callbacks_;
const bool anonymous_;
// State machine // State machine
TlsSessionState handleStateSetup(TlsSessionState state); TlsSessionState handleStateSetup(TlsSessionState state);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment