Summary: | ASTERISK-17719: SIP TLS certificates should be verified according to RFC 5922 | ||
Reporter: | Terry Wilson (twilson) | Labels: | |
Date Opened: | 2011-04-19 13:05:24 | Date Closed: | 2017-10-11 11:18:42 |
Priority: | Minor | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | Asterisk currently uses the Common Name in an X509 certificate to test for validity. According to RFC 5922, it is preferable to use the SubjectAltNames to test for DNS, user, and domain names and only fall back to Common Name as a last resort. Asterisk failed several tests at SIPit 28 due to its lack of ability in this area. ****** STEPS TO REPRODUCE ****** Make an outbound registration to a SIP server using a domain name that is only found in a SubjectAltName in their certificate. Watch Asterisk fail to set up the call. | ||
Comments: | By: Bernhard Schmidt (bschmidt) 2016-12-20 16:48:28.913-0600 I think this was fixed a while ago, duplicate of ASTERISK-25063? {noformat} 2015-05-14 17:12 +0000 [7b96e8cc3d] Maciej Szmigiero <mail@maciej.szmigiero.name> * Add X.509 subject alternative name support to TLS certificate verification. This way one X.509 certificate can be used for hosts that can be reached under multiple DNS names or for multiple hosts. Signed-off-by: Maciej Szmigiero <mail@maciej.szmigiero.name> ASTERISK-25063 #close Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f {noformat} By: Corey Farrell (coreyfarrell) 2017-10-11 11:18:42.203-0500 Closing as I believe this was fixed by ASTERISK-25063. |