Bug #1258
CSipSimple cannot verify SSL certificates
Status: | Resolved | Start date: | 05/06/2013 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | lee | % Done: | 0% | |
Category: | - | Spent time: | - | |
Target version: | - | |||
Component: |
Description
Regardless if the setting to verify the server certificate is checked, CSipSimple is not capable to verify any server's certificate chain. Rather, if the verify option is checked, all accounts registered with SSL will time out, making it appear that the server is offline. But since adding a valid SSL certificate for ostel.co that is signed by GeoTrust, Jisti no longer gives a certificate warning in the same conditions. So this is definitely a CSipSimple bug.
History
#1 Updated by lee over 4 years ago
- File CSipSimple Error-Log report added
I verified that the top level certificate for ostel.co is in the Android default CA certificate store by checking the serial number on two different systems. The signature is valid and the intermediary certificate is signed by the root level so any client that support certification verification should check this out. Attached is a debug session for an account on ostel.co with verification enabled.
search the logs for libpjsip
#2 Updated by lee over 4 years ago
- Priority changed from Normal to High
it looks like pjsip is much like kamailio's tls module.
http://www.pjsip.org/docs/2.0-alpha2/pjsip/docs/html/structpjsip__tls__setting.htm
I'm gonna concat all the CA certificates in the debian package into a single .pem file and see if that works.
#3 Updated by lee over 4 years ago
- Status changed from In Progress to Feedback
INDEED! Exact same interface as Kamailio. This is the "great" thing about a SIP "user agent" functioning as both a client and a server ALL IN ONE!
http://kamailio.org/docs/modules/3.1.x/modules/tls.html#ca_list
I concatenated all the files in the Debian ca-certificates package into a single file, copied it to the external SD card and manually typed in the path to that file in CSipSimple. Checking the verify server certificate box and registering now functions as expected.
This does not scale. It's low hanging fruit for CSipSimple since the concatenated list is under a meg and open source so it's possible to include it in the data directory of csipsimple and have the path set automatically.
#4 Updated by abeluck over 4 years ago
I'm confused, what is the root problem in CSip? Does it not recognize the root CA? or an intermediary?
#5 Updated by lee over 4 years ago
abeluck wrote:
I'm confused, what is the root problem in CSip? Does it not recognize the root CA? or an intermediary?
The problem is CSipSimple bypasses the Android system's root CA certificates. This means by default there are zero CA certificates available to validate server certificates. Adding the file in this issue to device local storage and setting the configuration will offer some CA certificates to use.
#6 Updated by lee over 4 years ago
- Status changed from Feedback to Resolved
It looks like this process works for now. It's good enough and there are some possibilities to improve it in another ticket.