Issue 157 in jain-sip: ClientAuthType.DisabledAll should only control local cert validation

Tue, 10 Mar 2015 06:43:39 -0700 

Status: New
Owner: ----
Labels: Priority-Medium
New issue 157 by [email protected]: ClientAuthType.DisabledAll should only control local cert validation 
https://code.google.com/p/jain-sip/issues/detail?id=157

What steps will reproduce the problem?
1. Set TLS_CLIENT_AUTH_TYPE=DisabledAll to disable cert validation on a sip app 
2.  Configure the app with keystore containing valid certificate and key.
3.  Leave cert validation enabled on remote peer.
4.  Test mutual TLS between the two.

What is the expected output? What do you see instead?
Expect certificate validation at the remote peer to fail or succeed based only on the validity of certificate provided in step 2. Instead, validation fails at remote peer due to "null certificate chain". 

What version of the product are you using? On what operating system?
1.2.231

Please provide any additional information below.
In SslNetworkLayer.java, ClientAuthType.DisabledAll appears to assume the remote peer will also be set to DisabledAll. Instead, it should only impact local cert validation decisions and allow the remote peer config to do its own thing. 

--- a/src/gov/nist/core/net/SslNetworkLayer.java
+++ b/src/gov/nist/core/net/SslNetworkLayer.java
@@ -122,7 +122,7 @@ public class SslNetworkLayer implements NetworkLayer {
                 logger.logDebug(
"ClientAuth " + sipStack.getClientAuth() + " bypassing all cert validations"); 
             }
-               sslContext.init(null, trustAllCerts, secureRandom);
+ sslContext.init(kmFactory.getKeyManagers(), trustAllCerts, secureRandom);^M 
         } else {
                if (logger.isLoggingEnabled(LogWriter.TRACE_DEBUG)) {
                 logger.logDebug(


--
You received this message because this project is configured to send all issue notifications to this address. 
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--- You received this message because you are subscribed to the Google Groups "mobicents-all-issues-changes" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to