Skip to content

Commit e495020

Browse files
dennwcdennwc
authored
Validate only TLS cert validity, not the hostname. (#462)
1 parent 9b1f061 commit e495020

File tree

2 files changed

+52
-0
lines changed

2 files changed

+52
-0
lines changed

pkg/sip/service.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,7 @@ func (s *Service) Start() error {
240240
Certificates: certs,
241241
KeyLogWriter: keyLog,
242242
}
243+
ConfigureTLS(tlsConf)
243244
opts = append(opts, sipgo.WithUserAgenTLSConfig(tlsConf))
244245
}
245246
ua, err := sipgo.NewUA(opts...)

pkg/sip/tls.go

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
// Copyright 2025 LiveKit, Inc.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
package sip
16+
17+
import (
18+
"crypto/tls"
19+
"crypto/x509"
20+
"errors"
21+
)
22+
23+
func ConfigureTLS(c *tls.Config) {
24+
// We can't use default cert verification, because SIP headers usually specify IP address instead of a hostname.
25+
// At least, we could validate certificate chain using VerifyPeerCertificate and ignore the server name for now.
26+
//
27+
// Code from crypto/tls.Conn.verifyServerCertificate.
28+
c.InsecureSkipVerify = true
29+
c.VerifyPeerCertificate = func(certificates [][]byte, verifiedChains [][]*x509.Certificate) error {
30+
certs := make([]*x509.Certificate, len(certificates))
31+
for i, asn1Data := range certificates {
32+
cert, err := x509.ParseCertificate(asn1Data)
33+
if err != nil {
34+
return errors.New("failed to parse certificate from server: " + err.Error())
35+
}
36+
certs[i] = cert
37+
}
38+
opts := x509.VerifyOptions{
39+
Roots: c.RootCAs,
40+
Intermediates: x509.NewCertPool(),
41+
}
42+
for _, cert := range certs[1:] {
43+
opts.Intermediates.AddCert(cert)
44+
}
45+
_, err := certs[0].Verify(opts)
46+
if err != nil {
47+
return err
48+
}
49+
return nil
50+
}
51+
}

0 commit comments

Comments
 (0)