add new tests in Flexisip suite in order to test that flexisip properly accept and reject clients using TLS client based authentication.

coreapi/linphonecore.c

@@ -2251,7 +2251,7 @@ void linphone_core_set_rtp_no_xmit_on_audio_mute(LinphoneCore *lc,bool_t rtp_no_
 
 /**
  * Sets the UDP port used for audio streaming.
- * A value if -1 will request the system to allocate the local port randomly.
+ * A value of -1 will request the system to allocate the local port randomly.
  * This is recommended in order to avoid firewall warnings.
  *
  * @ingroup network_parameters
@@ -2273,7 +2273,7 @@ void linphone_core_set_audio_port_range(LinphoneCore *lc, int min_port, int max_
 
 /**
  * Sets the UDP port used for video streaming.
- * A value if -1 will request the system to allocate the local port randomly.
+ * A value of -1 will request the system to allocate the local port randomly.
  * This is recommended in order to avoid firewall warnings.
  *
  * @ingroup network_parameters

tester/certificates/client/cert2-signed-by-other-ca.pem

@@ -0,0 +1,90 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 4096 (0x1000)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FR, ST=France, L=Grenoble, O=Belledonne Communications, CN=Belledonne Communications unofficial rootca
+        Validity
+            Not Before: Nov 17 11:33:46 2016 GMT
+            Not After : Nov 27 11:33:46 2017 GMT
+        Subject: C=FR, ST=Some-State, L=Lorien, O=Internet Widgits Pty Ltd, CN=sip:galadrielle@sip.example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:3c:ab:f2:34:4b:dd:3e:96:b4:0f:76:61:5f:
+                    59:dd:d0:93:6f:05:04:a2:2e:f7:f5:2f:65:35:02:
+                    f5:6f:ed:dd:46:bb:72:3e:7c:47:b5:37:15:1d:1d:
+                    90:a7:dc:0f:bf:cc:a8:58:43:86:fb:b8:c7:7e:13:
+                    7f:05:09:47:6b:bf:a1:d1:76:7d:7a:d3:09:3a:46:
+                    78:22:08:49:cd:02:8d:80:10:ee:d1:18:3c:e4:df:
+                    50:be:05:80:88:56:c3:d4:36:2c:05:5d:57:07:9a:
+                    4a:13:99:7f:46:d9:0b:dd:81:51:29:bd:8e:3a:55:
+                    b2:33:f2:e6:3e:1c:ce:f9:2f:80:68:ca:5a:78:c5:
+                    e1:27:4a:b4:0b:65:9b:24:ee:df:8c:16:f0:74:dc:
+                    fe:a5:9f:52:5a:a1:f9:09:1d:47:00:d9:8a:84:72:
+                    e2:19:7b:cb:cd:62:b3:44:e3:4f:cf:9b:1c:a1:bc:
+                    70:d3:e0:10:8b:f2:51:28:91:84:61:92:56:03:3a:
+                    2c:bf:11:8d:b6:4b:c8:4f:1c:e7:75:54:b9:cd:f3:
+                    d5:be:6b:af:6e:9f:ca:77:45:44:5c:55:6a:23:49:
+                    e0:52:fc:30:3d:a9:a8:66:f1:d8:d0:a8:5b:97:3c:
+                    a7:de:70:db:7b:85:c1:f5:8e:54:3c:f8:0f:3a:9f:
+                    36:2d
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         4a:f6:1f:8c:a8:fa:f6:ed:85:14:2c:12:14:69:7c:ec:ff:17:
+         57:e5:bd:a6:e1:50:7e:38:01:d7:a9:92:7c:e2:43:03:f7:7f:
+         53:f9:6a:de:bf:55:7b:62:45:fc:55:35:20:8f:6c:b5:83:a6:
+         30:56:84:ba:b0:cb:df:1e:6f:e2:ca:8a:9c:94:96:5a:c0:fa:
+         18:67:b4:e3:6b:87:09:2a:8e:e2:d3:69:cc:67:9d:ba:e3:48:
+         f7:1c:81:72:90:c8:8c:24:ff:90:be:14:50:6a:f4:1f:5b:66:
+         91:5c:06:ff:fc:5a:53:22:e8:fe:86:38:92:82:18:87:2d:0c:
+         78:90:4a:7a:92:3e:48:43:28:20:83:fa:6f:35:e3:b8:54:e9:
+         f7:a7:91:fd:63:fa:13:0b:31:45:5c:69:33:56:c3:7e:f9:b5:
+         57:f4:b9:3a:cb:7c:71:1f:dd:a1:0c:77:fc:f9:69:34:a1:7e:
+         2b:a6:05:cd:b9:c9:bb:68:f0:c6:72:54:34:42:94:4d:3f:c6:
+         d7:86:8b:da:d5:2a:31:28:80:6c:84:3b:60:ce:e4:4d:5a:53:
+         4d:b7:31:df:98:d0:d6:7c:c0:36:f3:fd:7c:a0:da:12:ee:9c:
+         1a:83:c9:62:22:ad:5b:92:7c:70:c2:49:92:05:87:ee:02:f9:
+         23:a7:55:86:65:86:96:53:7e:91:8a:2c:0f:18:9a:34:0f:29:
+         8c:0d:0e:4d:28:62:7b:65:ed:62:b8:d0:bf:13:5f:e6:a9:4f:
+         d6:9c:20:73:2c:b6:28:90:10:c3:20:30:15:14:68:27:64:ee:
+         74:2a:01:9d:ea:17:b8:f0:d9:d0:ee:61:f2:de:37:a4:c8:24:
+         96:3f:60:6a:51:9c:03:9a:12:c4:d1:72:0e:40:46:2e:82:a7:
+         7d:51:df:8e:3b:dd:73:83:31:cd:93:4e:64:ca:9b:6a:e8:2f:
+         b5:6c:3f:e5:b1:6a:d8:fd:26:7b:4c:84:64:56:11:de:7a:de:
+         d2:77:7f:ce:98:eb:04:58:4b:15:9b:29:5a:71:fa:a8:50:72:
+         b7:28:70:a2:77:20:ad:56:34:ab:69:27:47:87:09:67:f6:e1:
+         a3:66:d8:fc:4f:00:7c:8e:c1:65:c3:c5:8c:ef:2b:d1:a4:90:
+         ef:ea:5e:9a:ca:8b:95:44:92:60:a1:f8:0e:e8:2d:ca:b1:07:
+         57:23:b5:c6:e6:09:00:ac:7b:6f:fa:23:da:35:29:5f:26:78:
+         b1:04:64:0c:c6:96:41:4e:da:82:fd:2c:dd:5b:43:24:e0:ef:
+         1f:a0:8e:41:7d:b6:71:49:96:29:8e:67:aa:53:30:f6:4e:10:
+         56:26:43:72:fd:06:27:fb
+-----BEGIN CERTIFICATE-----
+MIIEgjCCAmoCAhAAMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJGUjEPMA0G
+A1UECAwGRnJhbmNlMREwDwYDVQQHDAhHcmVub2JsZTEiMCAGA1UECgwZQmVsbGVk
+b25uZSBDb21tdW5pY2F0aW9uczE0MDIGA1UEAwwrQmVsbGVkb25uZSBDb21tdW5p
+Y2F0aW9ucyB1bm9mZmljaWFsIHJvb3RjYTAeFw0xNjExMTcxMTMzNDZaFw0xNzEx
+MjcxMTMzNDZaMIGAMQswCQYDVQQGEwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEP
+MA0GA1UEBwwGTG9yaWVuMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
+dGQxKDAmBgNVBAMMH3NpcDpnYWxhZHJpZWxsZUBzaXAuZXhhbXBsZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuPKvyNEvdPpa0D3ZhX1nd0JNv
+BQSiLvf1L2U1AvVv7d1Gu3I+fEe1NxUdHZCn3A+/zKhYQ4b7uMd+E38FCUdrv6HR
+dn160wk6RngiCEnNAo2AEO7RGDzk31C+BYCIVsPUNiwFXVcHmkoTmX9G2QvdgVEp
+vY46VbIz8uY+HM75L4Boylp4xeEnSrQLZZsk7t+MFvB03P6ln1JaofkJHUcA2YqE
+cuIZe8vNYrNE40/PmxyhvHDT4BCL8lEokYRhklYDOiy/EY22S8hPHOd1VLnN89W+
+a69un8p3RURcVWojSeBS/DA9qahm8djQqFuXPKfecNt7hcH1jlQ8+A86nzYtAgMB
+AAEwDQYJKoZIhvcNAQELBQADggIBAEr2H4yo+vbthRQsEhRpfOz/F1flvabhUH44
+AdepknziQwP3f1P5at6/VXtiRfxVNSCPbLWDpjBWhLqwy98eb+LKipyUllrA+hhn
+tONrhwkqjuLTacxnnbrjSPccgXKQyIwk/5C+FFBq9B9bZpFcBv/8WlMi6P6GOJKC
+GIctDHiQSnqSPkhDKCCD+m8147hU6fenkf1j+hMLMUVcaTNWw375tVf0uTrLfHEf
+3aEMd/z5aTShfiumBc25ybto8MZyVDRClE0/xteGi9rVKjEogGyEO2DO5E1aU023
+Md+Y0NZ8wDbz/Xyg2hLunBqDyWIirVuSfHDCSZIFh+4C+SOnVYZlhpZTfpGKLA8Y
+mjQPKYwNDk0oYntl7WK40L8TX+apT9acIHMstiiQEMMgMBUUaCdk7nQqAZ3qF7jw
+2dDuYfLeN6TIJJY/YGpRnAOaEsTRcg5ARi6Cp31R34473XODMc2TTmTKm2roL7Vs
+P+Wxatj9JntMhGRWEd563tJ3f86Y6wRYSxWbKVpx+qhQcrcocKJ3IK1WNKtpJ0eH
+CWf24aNm2PxPAHyOwWXDxYzvK9GkkO/qXprKi5VEkmCh+A7oLcqxB1cjtcbmCQCs
+e2/6I9o1KV8meLEEZAzGlkFO2oL9LN1bQyTg7x+gjkF9tnFJlimOZ6pTMPZOEFYm
+Q3L9Bif7
+-----END CERTIFICATE-----

tester/certificates/client/cert2.pem

@@ -0,0 +1,74 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13 (0xd)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FR, ST=Some-State, L=Grenoble, O=Belledonne Communications, OU=LAB, CN=Jehan Monnier/emailAddress=jehan.monnier@belledonne-communications.com
+        Validity
+            Not Before: Nov 17 11:09:48 2016 GMT
+            Not After : Nov 17 11:09:48 2017 GMT
+        Subject: C=FR, ST=Some-State, L=Lorien, O=Internet Widgits Pty Ltd, CN=sip:galadrielle@sip.example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:3c:ab:f2:34:4b:dd:3e:96:b4:0f:76:61:5f:
+                    59:dd:d0:93:6f:05:04:a2:2e:f7:f5:2f:65:35:02:
+                    f5:6f:ed:dd:46:bb:72:3e:7c:47:b5:37:15:1d:1d:
+                    90:a7:dc:0f:bf:cc:a8:58:43:86:fb:b8:c7:7e:13:
+                    7f:05:09:47:6b:bf:a1:d1:76:7d:7a:d3:09:3a:46:
+                    78:22:08:49:cd:02:8d:80:10:ee:d1:18:3c:e4:df:
+                    50:be:05:80:88:56:c3:d4:36:2c:05:5d:57:07:9a:
+                    4a:13:99:7f:46:d9:0b:dd:81:51:29:bd:8e:3a:55:
+                    b2:33:f2:e6:3e:1c:ce:f9:2f:80:68:ca:5a:78:c5:
+                    e1:27:4a:b4:0b:65:9b:24:ee:df:8c:16:f0:74:dc:
+                    fe:a5:9f:52:5a:a1:f9:09:1d:47:00:d9:8a:84:72:
+                    e2:19:7b:cb:cd:62:b3:44:e3:4f:cf:9b:1c:a1:bc:
+                    70:d3:e0:10:8b:f2:51:28:91:84:61:92:56:03:3a:
+                    2c:bf:11:8d:b6:4b:c8:4f:1c:e7:75:54:b9:cd:f3:
+                    d5:be:6b:af:6e:9f:ca:77:45:44:5c:55:6a:23:49:
+                    e0:52:fc:30:3d:a9:a8:66:f1:d8:d0:a8:5b:97:3c:
+                    a7:de:70:db:7b:85:c1:f5:8e:54:3c:f8:0f:3a:9f:
+                    36:2d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                33:D0:36:5B:62:9B:1C:4D:31:47:9E:C0:91:41:E3:AE:29:61:AB:DB
+            X509v3 Authority Key Identifier: 
+                keyid:06:5F:5D:C7:16:AF:62:F8:2D:6E:71:03:88:A0:D6:1D:2B:04:7F:BA
+
+    Signature Algorithm: sha256WithRSAEncryption
+         ba:a1:0a:7e:8e:a6:1e:e8:3d:5f:da:28:a6:57:3e:cb:50:79:
+         06:8f:19:1b:df:b0:d2:e6:12:1f:ef:a2:bd:de:40:07:e2:5d:
+         3d:64:41:34:10:24:3c:85:62:8e:69:0c:99:89:b7:ce:a4:f6:
+         08:6d:37:8a:51:98:bd:46:b7:1b:dd:b2:ba:f7:f4:2f:47:d5:
+         74:3f:c5:fe:95:60:b3:42:51:4f:d1:ac:ed:a4:c6:f6:16:f3:
+         49:b6:8d:64:7f:76:e1:95:5e:ef:eb:46:4b:d7:a5:59:1d:0d:
+         ba:c5:07:5f:c3:db:2e:40:aa:6e:34:0c:1a:1d:4b:72:e3:ac:
+         61:b5
+-----BEGIN CERTIFICATE-----
+MIIDsjCCAxugAwIBAgIBDTANBgkqhkiG9w0BAQsFADCBuzELMAkGA1UEBhMCRlIx
+EzARBgNVBAgMClNvbWUtU3RhdGUxETAPBgNVBAcMCEdyZW5vYmxlMSIwIAYDVQQK
+DBlCZWxsZWRvbm5lIENvbW11bmljYXRpb25zMQwwCgYDVQQLDANMQUIxFjAUBgNV
+BAMMDUplaGFuIE1vbm5pZXIxOjA4BgkqhkiG9w0BCQEWK2plaGFuLm1vbm5pZXJA
+YmVsbGVkb25uZS1jb21tdW5pY2F0aW9ucy5jb20wHhcNMTYxMTE3MTEwOTQ4WhcN
+MTcxMTE3MTEwOTQ4WjCBgDELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3Rh
+dGUxDzANBgNVBAcMBkxvcmllbjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMSgwJgYDVQQDDB9zaXA6Z2FsYWRyaWVsbGVAc2lwLmV4YW1wbGUub3Jn
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjyr8jRL3T6WtA92YV9Z
+3dCTbwUEoi739S9lNQL1b+3dRrtyPnxHtTcVHR2Qp9wPv8yoWEOG+7jHfhN/BQlH
+a7+h0XZ9etMJOkZ4IghJzQKNgBDu0Rg85N9QvgWAiFbD1DYsBV1XB5pKE5l/RtkL
+3YFRKb2OOlWyM/LmPhzO+S+AaMpaeMXhJ0q0C2WbJO7fjBbwdNz+pZ9SWqH5CR1H
+ANmKhHLiGXvLzWKzRONPz5scobxw0+AQi/JRKJGEYZJWAzosvxGNtkvITxzndVS5
+zfPVvmuvbp/Kd0VEXFVqI0ngUvwwPamoZvHY0Khblzyn3nDbe4XB9Y5UPPgPOp82
+LQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl
+bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUM9A2W2KbHE0xR57AkUHjrilh
+q9swHwYDVR0jBBgwFoAUBl9dxxavYvgtbnEDiKDWHSsEf7owDQYJKoZIhvcNAQEL
+BQADgYEAuqEKfo6mHug9X9ooplc+y1B5Bo8ZG9+w0uYSH++ivd5AB+JdPWRBNBAk
+PIVijmkMmYm3zqT2CG03ilGYvUa3G92yuvf0L0fVdD/F/pVgs0JRT9Gs7aTG9hbz
+SbaNZH924ZVe7+tGS9elWR0NusUHX8PbLkCqbjQMGh1LcuOsYbU=
+-----END CERTIFICATE-----

tester/certificates/client/key2.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCuPKvyNEvdPpa0
+D3ZhX1nd0JNvBQSiLvf1L2U1AvVv7d1Gu3I+fEe1NxUdHZCn3A+/zKhYQ4b7uMd+
+E38FCUdrv6HRdn160wk6RngiCEnNAo2AEO7RGDzk31C+BYCIVsPUNiwFXVcHmkoT
+mX9G2QvdgVEpvY46VbIz8uY+HM75L4Boylp4xeEnSrQLZZsk7t+MFvB03P6ln1Ja
+ofkJHUcA2YqEcuIZe8vNYrNE40/PmxyhvHDT4BCL8lEokYRhklYDOiy/EY22S8hP
+HOd1VLnN89W+a69un8p3RURcVWojSeBS/DA9qahm8djQqFuXPKfecNt7hcH1jlQ8
++A86nzYtAgMBAAECggEAHyf8O0A8vKA/hI0rRvgs8qwkYPrNvE6XykEiYNtZlh07
+rzU/lYrVq8LgxKcPweRo8IwhIj9Y+NQu4A2ObhEds1e+EN2WTItGICSPwM4onD8z
+nE3q1nr2EJsaLhB/zmFtfRn+vyrUsChXzK9rAfk31PEV2VfrAeVnC0EJCNxP6mDX
+gAjTNN/+Elqzr8Cr7aofthaMnCWnI6JBJ0MCqaozDBreyfGkaFC+RkRxUpZQerqN
+tvcurKn0C/Q5ZcfIugvnEFa4nL/V4s+j4Kv1SWgvfi2z4eR7wyiZVT+mStMiHvg5
+JCLNli4GtFyhYzsTqUnd3S2t0unEdaFLEzJakHGjQQKBgQDdjw9UN354QS2Aiqoe
+Gu5e9nc3gi3e/dHmPyk4jKPC/cqrQ3AVrXILLjU/FHpT7OrkwoQNvI0qG39r1Akq
+hnztTqDw0HVskuWJmPmUxfdl6DIOUln7pEX4yZMreDwdEjxx/oZzbu7bhU3k7zNV
+zKv54deN78AmtVI5KzrEdvKfnQKBgQDJUnAtvDeuwE44XUU0mBoH3XdLULLaVeAl
+4vovM/8U283+wiBkASXamFimboBKe34TGH/v10hmKxBHyPCgl9ps6o9iFbPRNzOB
+kmGrTTojSOJ6u9EXvQ+wTYjzl2n/RlivIsOZRC0YXmk3n+mRPa0TGwnpxH13cEFV
+RnEUnYdT0QKBgBZXw/L5Oa7E2+LXmPo6OwmmjzUw0pFnRVCT1ANY43bZgyOsRFRb
+TmHkQghfd0qZXMK+/vQnrJCvfzUPh/Ea6ORBhqdiTkUpty4eGCUxpZZISSv6kAp5
+cXj6UvYSRPWljiTsxwBDEqFemxFYMfQYFMu5Q7STlewRYv5S5rVDTYpdAoGAG77I
+xwTRh7vpC8uO5hiwPbU/45lTjNOY+J+3axn3ZaCFWz7Vx/KAjQfB7+36sEkkru0J
+dLxuteXpcHs47mj/KVOKPzJOfd7lsk3COCGEiahZziBkSKk9qEaHQUr0yMGhJ0Hb
+QxwqOtmIFqprPiEJ4UAwtY7m27cUyfPTUcwEAoECgYBEoCn8kmRXuBoDVNPK1IPh
+vQcD0RDdtGhOrM36Pmmbky6oS37c3AV4sXOhw7aTYs4GejpeH0tX7F0hiwaZ/SqG
+WxliyHCpUxpl+LsGzdfqCa9nEPn4B27/jFYHVCiSheOfVEwjGavkO+VIZbuHXAP4
+V8rXqdmFIbiVb43P6yoMhg==
+-----END PRIVATE KEY-----

tester/flexisip/README

@@ -0,0 +1,3 @@
+flexisip.conf : is the configuration of the flexisip running on sip2.linphone.org. It has lots of IP addresses hardcoded because this machine is running multiple instances on different IP addresses.
+flexisip-generic.conf : is the same configuration without any IP address hardcoded and relative paths. It can be run on any machine from the "tester" directory of linphone.
+

tester/flexisip/flexisip-generic.conf

@@ -0,0 +1,625 @@
+##
+## This is the default Flexisip configuration file
+##
+
+##
+## Some global settings of the flexisip proxy.
+##
+[global]
+# Outputs very detailed logs
+#  Default value: false
+debug=1
+
+# Automatically respawn flexisip in case of abnormal termination
+# (crashes)
+#  Default value: true
+auto-respawn=true
+
+# List of white space separated host names pointing to this machine.
+# This is to prevent loops while routing SIP messages.
+#  Default value: localhost
+aliases=localhost sip2.linphone.org sipopen.example.org sip.example.org auth.example.org auth1.example.org auth2.example.org client.example.org sipv4.example.org sipv4-nat64.example.org
+
+# List of white space separated SIP uris where the proxy must listen.Wildcard
+# (*) can be used to mean 'all local ip addresses'. If 'transport'
+# prameter is unspecified, it will listen to both udp and tcp. An
+# local address to bind can be indicated in the 'maddr' parameter,
+# while the domain part of the uris are used as public domain or
+# ip address. Here some examples to understand:
+# * listen on all local interfaces for udp and tcp, on standart
+# port:
+# 	transports=sip:*
+# * listen on all local interfaces for udp,tcp and tls, on standart
+# ports:
+# 	transports=sip:* sips:*
+# * listen on 192.168.0.29:6060 with tls, but public hostname is
+# 'sip.linphone.org' used in SIP messages. Bind address won't appear:
+# 	transports=sips:sip.linphone.org:6060;maddr=192.168.0.29
+#  Default value: sip:*
+#transports=sip:192.168.56.101:5060  sips:192.168.56.101:5061
+
+#note: the ip addresses are explicitely specified here because the machine has several interfaces. In a simple case, using '*' instead of the explicit ip address is sufficient, 
+#and there is no need to specify the ipv6 transport addresses.
+transports=sip:* sips:*;tls-certificates-dir=certificates/cn sips:*:5062;tls-certificates-dir=certificates/altname sips:*:5063;tls-verify-incoming=1 sip:*:5064
+
+
+# An absolute path of a directory where TLS server certificate and
+# private key can be found, concatenated inside an 'agent.pem' file.
+#  Default value: /etc/flexisip/tls
+tls-certificates-dir=/etc/flexisip/tls/certificates/cn
+#tls-certificates-dir=/media/sf_workspaces/workspace-macosx/flexisip
+
+##
+## STUN server parameters.
+##
+[stun-server]
+# Enable or disable stun server.
+#  Default value: true
+enabled=true
+
+# Local ip address where to bind the socket.
+#  Default value: 0.0.0.0
+bind-address=0.0.0.0
+
+# STUN server port number.
+#  Default value: 3478
+port=3478
+
+
+
+##
+## The NatHelper module executes small tasks to make SIP work smoothly
+## despite firewalls.It corrects the Contact headers that contain
+## obviously inconsistent addresses, and adds a Record-Route to ensure
+## subsequent requests are routed also by the proxy, through the
+## UDP or TCP channel each client opened to the proxy.
+##
+[module::NatHelper]
+# Indicate whether the module is activated.
+#  Default value: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# Internal URI parameter added to response contact by first proxy
+# and cleaned by last one.
+#  Default value: verified
+contact-verified-param=verified
+
+##
+## The authentication module challenges SIP requests according to
+## a user/password database.
+##
+[module::Authentication]
+# Indicate whether the module is activated.
+#  Default value: false
+enabled=true
+
+
+no-403=user-agent contains 'tester-no-403'
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value: 
+filter= from.uri.domain contains 'sip.example.org' || from.uri.domain contains 'auth.example.org' || from.uri.domain contains 'auth1.example.org' || from.uri.domain contains 'auth2.example.org' || from.uri.domain contains 'anonymous.invalid' 
+
+# List of whitespace separated domain names to challenge. Others
+# are denied.
+#  Default value: 
+auth-domains= sip.example.org auth.example.org auth1.example.org auth2.example.org
+
+
+
+# List of whitespace separated IP which will not be challenged.
+#  Default value: 
+trusted-hosts=127.0.0.1 94.23.19.176
+
+# Database backend implementation [odbc, file].
+#  Default value: odbc
+db-implementation=file
+
+# Odbc connection string to use for connecting to database. ex1:
+# DSN=myodbc3; where 'myodbc3' is the datasource name. ex2: DRIVER={MySQL};SERVER=host;DATABASE=db;USER=user;PASSWORD=pass;OPTION=3;
+# for a DSN-less connection. ex3: /etc/flexisip/passwd; for a file
+# containing one 'user@domain password' by line.
+#  Default value:
+datasource=/etc/flexisip/userdb.conf
+
+# Odbc SQL request to execute to obtain the password
+# . Named parameters are :id (the user found in the from header),
+# :domain (the authorization realm) and :authid (the authorization
+# username). The use of the :id parameter is mandatory.
+#  Default value: select password from accounts where id = :id and domain = :domain and authid=:authid
+request=select password from accounts where id = :id and domain = :domain and authid=:authid
+
+
+# Use pooling in odbc
+#  Default value: true
+odbc-pooling=true
+
+
+# Duration of the validity of the credentials added to the cache
+# in seconds.
+#  Default value: 1800
+cache-expire=1800
+
+
+# True if retrieved passwords from the database are hashed. HA1=MD5(A1)
+# = MD5(username:realm:pass).
+#  Default value: false
+hashed-passwords=false
+
+# When receiving a proxy authenticate challenge, generate a new
+# challenge for this proxy.
+#  Default value: false
+new-auth-on-407=false
+
+enable-test-accounts-creation=true
+
+##
+## ...
+##
+[module::GatewayAdapter]
+# Indicate whether the module is activated.
+#  Default value: false
+enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# A gateway uri where to send all requests, as a SIP url (eg 'sip:gateway.example.net')
+#  Default value:
+gateway=
+
+# Modify the from and to domains of incoming register
+#  Default value:
+gateway-domain=
+
+# The gateway will be added to the incoming register contacts.
+#  Default value: true
+fork-to-gateway=true
+
+# Send a REGISTER to the gateway using this server as a contact
+# in order to be notified on incoming calls by the gateway.
+#  Default value: true
+register-on-gateway=true
+
+# Parameter name hosting the incoming domain that will be sent in
+# the register to the gateway.
+#  Default value: routing-domain
+routing-param=routing-domain
+
+[module::Router]
+
+# Store and retrieve contacts without using the domain.
+#  Default value: false
+use-global-domain=false
+
+# Fork messages to all registered devices
+#  Default value: true
+fork=true
+
+# Force forking and thus the creation of an outgoing transaction
+# even when only one contact found
+#  Default value: true
+stateful=true
+
+# Fork invites to late registers
+#  Default value: false
+fork-late=true
+
+call-fork-timeout=20
+
+
+
+# All the forked have to decline in order to decline the caller
+# invite
+#  Default value: false
+fork-no-global-decline=false
+
+# Maximum duration for delivering a message (text)
+#  Default value: 3600
+message-delivery-timeout=60
+##
+## The Registrar module accepts REGISTERs for domains it manages,
+## and store the address of record in order to route other requests
+## destinated to the client who registered.
+##
+[module::Registrar]
+# Indicate whether the module is activated.
+#  Default value: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# List of whitelist separated domain names to be managed by the
+# registrar.
+#  Default value: localhost
+reg-domains=localhost sip.example.org sipopen.example.org auth1.example.org sip2.linphone.org client.example.org
+
+# Maximum number of registered contacts of an address of record.
+#  Default value: 15
+max-contacts-by-aor=15
+
+# List of contact uri parameters that can be used to identify a
+# user's device.
+#  Default value: +sip.instance
+#unique-id-parameters=
+
+# Maximum expire time for a REGISTER, in seconds.
+#  Default value: 86400
+max-expires=60
+
+# Minimum expire time for a REGISTER, in seconds.
+#  Default value: 60
+min-expires=1
+
+# File containing the static records to add to database at startup.
+# Format: one 'sip_uri contact_header' by line. Example:
+# <sip:contact@domain> <sip:127.0.0.1:5460>,<sip:192.168.0.1:5160>
+#  Default value:
+static-records-file=
+
+# Timeout in seconds after which the static records file is re-read
+# and the contacts updated.
+#  Default value: 600
+static-records-timeout=600
+
+# Implementation used for storing address of records contact uris.
+# [redis-async, redis-sync, internal]
+#  Default value: internal
+db-implementation=internal
+
+
+
+
+
+
+
+
+# Generate a contact from the TO header and route it to the above
+# destination. [sip:host:port]
+#  Default value:
+generated-contact-route=
+
+# Require presence of authorization header for specified realm.
+# [Realm]
+#  Default value:
+generated-contact-expected-realm=
+
+
+[module::ContactRouteInserter]
+# Indicate whether the module is activated.
+#  Default value: true
+enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# Hack for workarounding Nortel CS2k gateways bug.
+#  Default value: false
+masquerade-contacts-for-invites=false
+
+##
+## This module performs load balancing between a set of configured
+## destination proxies.
+##
+[module::LoadBalancer]
+# Indicate whether the module is activated.
+#  Default value: false
+enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# Whitespace separated list of sip routes to balance the requests.
+# Example: <sip:192.168.0.22> <sip:192.168.0.23>
+#  Default value:
+routes=
+
+##
+## The MediaRelay module masquerades SDP message so that all RTP
+## and RTCP streams go through the proxy. The RTP and RTCP streams
+## are then routed so that each client receives the stream of the
+## other. MediaRelay makes sure that RTP is ALWAYS established, even
+## with uncooperative firewalls.
+##
+[module::MediaRelay]
+# Indicate whether the module is activated.
+#  Default value: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (:q
+#  Default value:
+filter= (user-agent contains 'Natted Linphone')
+
+# SDP attribute set by the first proxy to forbid subsequent proxies
+# to provide relay.
+#  Default value: nortpproxy
+nortpproxy=nortpproxy
+
+# Set the RTP direction during early media state (duplex, forward)
+#  Default value: duplex
+#early-media-rtp-dir=duplex
+
+# The minimal value of SDP port range
+#  Default value: 1024
+sdp-port-range-min=1024
+
+# The maximal value of SDP port range
+#  Default value: 65535
+sdp-port-range-max=65535
+
+# Enable I-frame only filtering for video H264 for clients annoucing
+# a total bandwith below this value expressed in kbit/s. Use 0 to
+# disable the feature
+#  Default value: 0
+#h264-filtering-bandwidth=0
+
+# When above option is activated, keep one I frame over this number.
+#  Default value: 1
+#h264-iframe-decim=1
+
+# Sends a ACK and BYE to 200 Ok for INVITEs not belonging to any established call.
+bye-orphan-dialogs=true
+
+
+##
+## The purpose of the Transcoder module is to transparently transcode
+## from one audio codec to another to make the communication possible
+## between clients that do not share the same set of supported codecs.
+## Concretely it adds all missing codecs into the INVITEs it receives,
+## and adds codecs matching the original INVITE into the 200Ok. Rtp
+## ports and addresses are masqueraded so that the streams can be
+## processed by the proxy. The transcoding job is done in the background
+## by the mediastreamer2 library, as consequence the set of supported
+## codecs is exactly the the same as the codec set supported by mediastreamer2,
+## including the possible plugins you may installed to extend mediastreamer2.
+## WARNING: this module can conflict with the MediaRelay module as
+## both are changin the SDP. Make sure to configure them with different
+## to-domains or from-domains filter if you want to enable both of
+## them.
+##
+[module::Transcoder]
+# Indicate whether the module is activated.
+#  Default value: false
+enabled=false
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# Nominal size of RTP jitter buffer, in milliseconds. A value of
+# 0 means no jitter buffer (packet processing).
+#  Default value: 0
+jb-nom-size=0
+
+# Whitespace separated list of user-agent strings for which audio
+# rate control is performed.
+#  Default value:
+rc-user-agents=
+
+# Whitespace seprated list of audio codecs, in order of preference.
+#  Default value: speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000
+audio-codecs=speex/8000 amr/8000 iLBC/8000 gsm/8000 pcmu/8000 pcma/8000
+
+# If true, retransmissions of INVITEs will be blocked. The purpose
+# of this option is to limit bandwidth usage and server load on
+# reliable networks.
+#  Default value: false
+block-retransmissions=false
+
+##
+## This module executes the basic routing task of SIP requests and
+## pass them to the transport layer. It must always be enabled.
+##
+[module::Forward]
+# Indicate whether the module is activated.
+#  Default value: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# A sip uri where to send all requests
+#  Default value:
+route=
+
+# Rewrite request-uri's host and port according to above route
+#  Default value: false
+rewrite-req-uri=false
+
+[module::Redirect]
+enabled=true
+filter = (user-agent contains 'redirect') && !(request.uri.params contains 'redirected')
+contact= <sip:sipopen.example.org;redirected>
+
+##
+## The purpose of the StatisticsCollector module is to collect call
+## statistics (RFC 6035) and store them on the server.
+##
+[module::StatisticsCollector]
+# Indicate whether the module is activated.
+#  Default value: false
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# SIP URI of the statistics collector. Note that the messages destinated
+# to this address will be deleted by this module and thus not be
+# delivered.
+#  Default value:
+collector-address=sip:sip.example.org
+
+##
+## This module performs push notifications to mobile phone notification
+## systems: apple, android, windows, as well as a generic http get/post
+## to a custom server to which actual sending of the notification
+## is delegated. The push notification is sent when an INVITE or
+## MESSAGE request is not answered by the destination of the request
+## within a certain period of time, configurable hereunder as 'timeout'
+## parameter.
+##
+
+
+
+[module::PushNotification]
+# Indicate whether the module is activated.
+#  Default value: false
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# Number of second to wait before sending a push notification to
+# device(if <=0 then disabled)
+#  Default value: 5
+timeout=5
+
+# Maximum number of notifications queued for each client
+#  Default value: 10
+max-queue-size=10
+
+# Enable push notification for apple devices
+#  Default value: true
+apple=false
+
+# Path to directory where to find Apple Push Notification service
+# certificates. They should bear the appid of the application, suffixed
+# by the release mode and .pem extension. For example: org.linphone.dev.pem
+# org.linphone.prod.pem com.somephone.dev.pem etc... The files should
+# be .pem format, and made of certificate followed by private key.
+#  Default value: /etc/flexisip/apn
+apple-certificate-dir=/etc/flexisip/apn
+
+# Enable push notification for android devices
+#  Default value: true
+google=false
+
+# List of couples projectId:ApiKey for each android project that
+# supports push notifications
+#  Default value:
+google-projects-api-keys=
+
+# Enable push notification for windows phone 8 devices
+#  Default value: true
+windowsphone=false
+
+# Set the badge value to 0 for apple push
+#  Default value: false
+no-badge=false
+
+# Instead of having Flexisip sending the push notification directly
+# to the Google/Apple/Microsoft push servers, send an http request
+# to an http server with all required information encoded in URL,
+# to which the actual sending of the push notification is delegated.
+# The following arguments can be substitued in the http request
+# uri, with the following values:
+#  - $type : apple, google, wp
+#  - $event : call, message
+#  - $from-name : the display name in the from header
+#  - $from-uri : the sip uri of the from header
+#  - $from-tag : the tag of the from header
+#  - $call-id : the call-id of the INVITE or MESSAGE request
+#  - $to-uri : the sip uri of the to header
+#  - $api-key : the api key to use (google only)
+#  - $msgid : the message id to put in the notification
+#  - $sound : the sound file to play with the notification
+#
+ The content of the text message is put in the body of the http
+# request as text/plain, if any.
+#  Example: http://192.168.0.2/$type/$event?from-uri=$from-uri&tag=$from-tag&callid=$callid&to=$to-uri
+#  Default value:
+external-push-uri=http://127.0.0.1:80/$type/$event?from-uri=$from-uri&tag=$from-tag&callid=$callid&to=$to-uri
+
+# Method for reaching external-push-uri, typically GET or POST
+#  Default value: GET
+external-push-method=GET
+
+##
+## This module bans user when they are sending too much packets on
+## a given timelapseTo see the list of currently banned ips/ports,
+## use iptables -LYou can also check the queue of unban commands
+## using atq
+##
+[module::DoSProtection]
+
+# Indicate whether the module is activated.
+#  Default value: true
+enabled=true
+
+# A request/response enters module if the boolean filter evaluates
+# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain
+# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org')
+# && (user-agent == 'Linphone v2')
+#  Default value:
+filter=
+
+# Number of milliseconds to consider to compute the packet rate
+#  Default value: 3000
+time-period=15000
+
+# Maximum packet rate received in [time-period] millisecond(s) to
+# consider it as a DoS attack.
+#  Default value: 20
+packet-rate-limit=10
+
+# Number of minutes to ban the ip/port using iptables (might be
+# less because it justs uses the minutes of the clock, not the seconds.
+# So if the unban command is queued at 13:11:56 and scheduled and
+# the ban time is 1 minute, it will be executed at 13:12:00)
+#  Default value: 2
+ban-time=1
+
+[module::Presence]
+enabled=true
+presence-server = <sip:127.0.0.1:5065;transport=tcp>
+only-list-subscription = !(user-agent contains 'full-presence-support')
+
+[presence-server]
+expires = 600
+transports = sip:127.0.0.1:5065;transport=tcp
+

tester/flexisip/flexisip.conf

@@ -40,7 +40,7 @@ aliases=localhost sip2.linphone.org sipopen.example.org sip.example.org auth.exa
 
 #note: the ip addresses are explicitely specified here because the machine has several interfaces. In a simple case, using '*' instead of the explicit ip address is sufficient, 
 #and there is no need to specify the ipv6 transport addresses.
-transports=sip:94.23.19.176:5060  sips:94.23.19.176:5061;tls-certificates-dir=/etc/flexisip/tls/certificates/cn sips:94.23.19.176:5062;tls-certificates-dir=/etc/flexisip/tls/certificates/altname sips:94.23.19.176:5063;require-peer-certificate=1 sip:94.23.19.176:5064 sip:[2001:41d0:2:14b0::1]:5060  sips:[2001:41d0:2:14b0::1]:5061;tls-certificates-dir=/etc/flexisip/tls/certificates/cn sips:[2001:41d0:2:14b0::1]:5062;tls-certificates-dir=/etc/flexisip/tls/certificates/altname sips:[2001:41d0:2:14b0::1]:5063;require-peer-certificate=1 sip:[2001:41d0:2:14b0::1]:5064
+transports=sip:94.23.19.176:5060  sips:94.23.19.176:5061;tls-certificates-dir=/etc/flexisip/tls/certificates/cn sips:94.23.19.176:5062;tls-certificates-dir=/etc/flexisip/tls/certificates/altname sips:94.23.19.176:5063;tls-verify-incoming=1 sip:94.23.19.176:5064 sip:[2001:41d0:2:14b0::1]:5060  sips:[2001:41d0:2:14b0::1]:5061;tls-certificates-dir=/etc/flexisip/tls/certificates/cn sips:[2001:41d0:2:14b0::1]:5062;tls-certificates-dir=/etc/flexisip/tls/certificates/altname sips:[2001:41d0:2:14b0::1]:5063;tls-verify-incoming=1 sip:[2001:41d0:2:14b0::1]:5064
 
 
 # An absolute path of a directory where TLS server certificate and

tester/flexisip_tester.c

@@ -1195,7 +1195,7 @@ static void test_list_subscribe_wrong_body(void) {
 }
 
 
-static void publish_subscribe(void) {
+static void redis_publish_subscribe(void) {
 	LinphoneCoreManager* marie = linphone_core_manager_new("marie_rc");
 	LinphoneCoreManager* pauline = linphone_core_manager_new(transport_supported(LinphoneTransportTls) ? "pauline_rc" : "pauline_tcp_rc");
 	LinphoneCoreManager* marie2 = NULL;
@@ -1215,6 +1215,87 @@ static void publish_subscribe(void) {
 	linphone_core_manager_destroy(marie2);
 }
 
+
+static void tls_authentication_requested_good(LinphoneCore *lc, LinphoneAuthInfo *auth_info, LinphoneAuthMethod method) {
+	if (method == LinphoneAuthTls){
+	
+		char *cert = bc_tester_res("certificates/client/cert2.pem");
+		char *key = bc_tester_res("certificates/client/key2.pem");
+		
+		linphone_auth_info_set_tls_cert_path(auth_info, cert);
+		linphone_auth_info_set_tls_key_path(auth_info, key);
+		linphone_core_add_auth_info(lc, auth_info);
+		bc_free(cert);
+		ms_free(key);
+	}
+}
+
+static void tls_authentication_requested_bad(LinphoneCore *lc, LinphoneAuthInfo *auth_info, LinphoneAuthMethod method) {
+	if (method == LinphoneAuthTls){
+	
+		char *cert = bc_tester_res("certificates/client/cert2-signed-by-other-ca.pem");
+		char *key = bc_tester_res("certificates/client/key2.pem");
+		
+		linphone_auth_info_set_tls_cert_path(auth_info, cert);
+		linphone_auth_info_set_tls_key_path(auth_info, key);
+		linphone_core_add_auth_info(lc, auth_info);
+		bc_free(cert);
+		bc_free(key);
+	}
+}
+
+static void tls_client_auth_try_register(const char *identity, bool_t with_good_cert, bool_t must_work){
+	LinphoneCoreManager *lcm;
+	LinphoneCoreVTable* vtable = linphone_core_v_table_new();
+	LinphoneProxyConfig *cfg;
+
+	lcm = linphone_core_manager_new(NULL);
+
+	vtable->authentication_requested= with_good_cert ? tls_authentication_requested_good : tls_authentication_requested_bad;
+	linphone_core_add_listener(lcm->lc,vtable);
+	cfg = linphone_core_create_proxy_config(lcm->lc);
+	
+	linphone_proxy_config_set_server_addr(cfg, "sip:sip2.linphone.org:5063;transport=tls");
+	linphone_proxy_config_enable_register(cfg, TRUE);
+	linphone_proxy_config_set_identity(cfg, identity);
+	linphone_core_add_proxy_config(lcm->lc, cfg);
+	if (must_work){
+		BC_ASSERT_TRUE(wait_for(lcm->lc, NULL, &lcm->stat.number_of_LinphoneRegistrationOk, 1));
+		BC_ASSERT_EQUAL(lcm->stat.number_of_LinphoneRegistrationFailed,0, int, "%d");
+		BC_ASSERT_EQUAL(lcm->stat.number_of_auth_info_requested,1, int, "%d");
+	}else{
+		BC_ASSERT_TRUE(wait_for(lcm->lc, NULL, &lcm->stat.number_of_LinphoneRegistrationFailed, 1));
+		BC_ASSERT_EQUAL(lcm->stat.number_of_LinphoneRegistrationOk,0, int, "%d");
+		/*we should expect 2 "auth_requested": one for the TLS certificate, another one because the server rejects the REGISTER with 401.*/
+		/*If the certificate isn't recognized at all, the connection will not happen and no SIP response will be received from server.*/
+		if (with_good_cert) BC_ASSERT_EQUAL(lcm->stat.number_of_auth_info_requested,2, int, "%d");
+		else BC_ASSERT_EQUAL(lcm->stat.number_of_auth_info_requested,1, int, "%d");
+	}
+	
+	linphone_proxy_config_unref(cfg);
+	linphone_core_manager_destroy(lcm);
+	linphone_core_v_table_destroy(vtable);
+}
+
+void tls_client_auth_bad_certificate_cn(void) {
+	if (transport_supported(LinphoneTransportTls)) {
+		/*first register to the proxy with galadrielle's identity, and authenticate by supplying galadrielle's certificate.
+		* It must work.*/
+		tls_client_auth_try_register("sip:galadrielle@sip.example.org", TRUE, TRUE);
+		/*now do the same thing, but trying to register as "Arwen". It must fail.*/
+		tls_client_auth_try_register("sip:arwen@sip.example.org", TRUE, FALSE);
+	}
+}
+
+void tls_client_auth_bad_certificate(void) {
+	if (transport_supported(LinphoneTransportTls)) {
+		/*first register to the proxy with galadrielle's identity, and authenticate by supplying galadrielle's certificate.
+		* It must work.*/
+		tls_client_auth_try_register("sip:galadrielle@sip.example.org", FALSE, FALSE);
+	}
+}
+
+
 test_t flexisip_tests[] = {
 	TEST_ONE_TAG("Subscribe forking", subscribe_forking, "LeaksMemory"),
 	TEST_NO_TAG("Message forking", message_forking),
@@ -1248,8 +1329,11 @@ test_t flexisip_tests[] = {
 #if HAVE_SIPP
 	TEST_NO_TAG("Subscribe on wrong dialog", test_subscribe_on_wrong_dialog),
 #endif
-	TEST_ONE_TAG("Publish/subscribe", publish_subscribe, "Skip")
+	TEST_ONE_TAG("Redis Publish/subscribe", redis_publish_subscribe, "Skip"),
+	TEST_NO_TAG("TLS authentication - client rejected due to CN mismatch", tls_client_auth_bad_certificate_cn),
+	TEST_NO_TAG("TLS authentication - client rejected due to unrecognized certificate chain", tls_client_auth_bad_certificate)
 };
 
+
 test_suite_t flexisip_test_suite = {"Flexisip", NULL, NULL, liblinphone_tester_before_each, liblinphone_tester_after_each,
 									sizeof(flexisip_tests) / sizeof(flexisip_tests[0]), flexisip_tests};

tester/register_tester.c

@@ -138,7 +138,7 @@ static void register_with_refresh_base_3(LinphoneCore* lc
 	} else
 		/*checking to be done outside this functions*/
 	BC_ASSERT_EQUAL(counters->number_of_LinphoneRegistrationCleared,0, int, "%d");
-	linphone_proxy_config_destroy(proxy_cfg);
+	linphone_proxy_config_unref(proxy_cfg);
 }
 
 static void register_with_refresh_base_2(LinphoneCore* lc
@@ -860,14 +860,14 @@ static void tls_certificate_failure(void){
 		linphone_core_set_root_ca(lcm->lc,NULL); /*no root ca*/
 		linphone_core_refresh_registers(lcm->lc);
 		BC_ASSERT_TRUE(wait_for(lc,lc,&lcm->stat.number_of_LinphoneRegistrationFailed,2));
-		ms_free(rootcapath);
+		bc_free(rootcapath);
 		rootcapath = bc_tester_res("certificates/cn/cafile.pem"); /*good root ca*/
 		linphone_core_set_root_ca(lcm->lc,rootcapath);
 		linphone_core_refresh_registers(lcm->lc);
 		BC_ASSERT_TRUE(wait_for(lc,lc,&lcm->stat.number_of_LinphoneRegistrationOk,1));
 		BC_ASSERT_EQUAL(lcm->stat.number_of_LinphoneRegistrationFailed,2, int, "%d");
 		linphone_core_manager_destroy(lcm);
-		ms_free(rootcapath);
+		bc_free(rootcapath);
 	}
 }
 
@@ -905,7 +905,7 @@ static void tls_certificate_data(void) {
 		linphone_core_set_root_ca_data(lcm->lc, NULL); /*no root ca*/
 		linphone_core_refresh_registers(lcm->lc);
 		BC_ASSERT_TRUE(wait_for(lc, lc, &lcm->stat.number_of_LinphoneRegistrationFailed, 2));
-		ms_free(rootcapath);
+		bc_free(rootcapath);
 		ms_free(data);
 		rootcapath = bc_tester_res("certificates/cn/cafile.pem"); /*good root ca*/
 		data = read_file(rootcapath);
@@ -914,7 +914,7 @@ static void tls_certificate_data(void) {
 		BC_ASSERT_TRUE(wait_for(lc, lc, &lcm->stat.number_of_LinphoneRegistrationOk, 1));
 		BC_ASSERT_EQUAL(lcm->stat.number_of_LinphoneRegistrationFailed, 2, int, "%d");
 		linphone_core_manager_destroy(lcm);
-		ms_free(rootcapath);
+		bc_free(rootcapath);
 		ms_free(data);
 	}
 }
@@ -957,7 +957,7 @@ static void tls_alt_name_register(void){
 		BC_ASSERT_TRUE(wait_for(lc,lc,&lcm->stat.number_of_LinphoneRegistrationOk,1));
 		BC_ASSERT_EQUAL(lcm->stat.number_of_LinphoneRegistrationFailed,0, int, "%d");
 		linphone_core_manager_destroy(lcm);
-		ms_free(rootcapath);
+		bc_free(rootcapath);
 	}
 }
 
@@ -974,7 +974,7 @@ static void tls_wildcard_register(void){
 		BC_ASSERT_TRUE(wait_for(lc,lc,&lcm->stat.number_of_LinphoneRegistrationOk,2));
 		BC_ASSERT_EQUAL(lcm->stat.number_of_LinphoneRegistrationFailed,0, int, "%d");
 		linphone_core_manager_destroy(lcm);
-		ms_free(rootcapath);
+		bc_free(rootcapath);
 	}
 }
 
@@ -1003,8 +1003,8 @@ static void tls_auth_global_client_cert(void) {
 		lp_config_set_string(lpc, "sip", "client_cert_key", key_path);
 		linphone_core_manager_start(manager, TRUE);
 		linphone_core_manager_destroy(manager);
-		ms_free(cert_path);
-		ms_free(key_path);
+		bc_free(cert_path);
+		bc_free(key_path);
 	}
 }
 
@@ -1022,8 +1022,8 @@ static void tls_auth_global_client_cert_api(void) {
 		linphone_core_manager_destroy(pauline);
 		ms_free(cert);
 		ms_free(key);
-		ms_free(cert_path);
-		ms_free(key_path);
+		bc_free(cert_path);
+		bc_free(key_path);
 	}
 }
 
@@ -1037,8 +1037,8 @@ static void tls_auth_global_client_cert_api_path(void) {
 		linphone_core_set_tls_key_path(lc, key);
 		BC_ASSERT_TRUE(wait_for(lc, lc, &pauline->stat.number_of_LinphoneRegistrationOk, 1));
 		linphone_core_manager_destroy(pauline);
-		ms_free(cert);
-		ms_free(key);
+		bc_free(cert);
+		bc_free(key);
 	}
 }
 
@@ -1057,8 +1057,8 @@ static void tls_auth_info_client_cert_api(void) {
 		linphone_core_manager_destroy(pauline);
 		ms_free(cert);
 		ms_free(key);
-		ms_free(cert_path);
-		ms_free(key_path);
+		bc_free(cert_path);
+		bc_free(key_path);
 	}
 }
 
@@ -1073,8 +1073,8 @@ static void tls_auth_info_client_cert_api_path(void) {
 		linphone_auth_info_set_tls_key_path(authInfo, key);
 		BC_ASSERT_TRUE(wait_for(lc, lc, &pauline->stat.number_of_LinphoneRegistrationOk, 1));
 		linphone_core_manager_destroy(pauline);
-		ms_free(cert);
-		ms_free(key);
+		bc_free(cert);
+		bc_free(key);
 	}
 }
 
@@ -1085,8 +1085,8 @@ static void authentication_requested_2(LinphoneCore *lc, LinphoneAuthInfo *auth_
 	linphone_auth_info_set_tls_cert_path(auth_info, cert);
 	linphone_auth_info_set_tls_key_path(auth_info, key);
 	linphone_core_add_auth_info(lc, auth_info);
-	ms_free(cert);
-	ms_free(key);
+	bc_free(cert);
+	bc_free(key);
 }
 
 static void tls_auth_info_client_cert_cb(void) {
@@ -1119,8 +1119,8 @@ static void authentication_requested_3(LinphoneCore *lc, LinphoneAuthInfo *auth_
 	linphone_core_add_auth_info(lc, auth_info);
 	ms_free(cert);
 	ms_free(key);
-	ms_free(cert_path);
-	ms_free(key_path);
+	bc_free(cert_path);
+	bc_free(key_path);
 }
 
 static void tls_auth_info_client_cert_cb_2(void) {
@@ -1142,6 +1142,7 @@ static void tls_auth_info_client_cert_cb_2(void) {
 	}
 }
 
+
 test_t register_tests[] = {
 	TEST_NO_TAG("Simple register", simple_register),
 	TEST_NO_TAG("Simple register unregister", simple_unregister),