Summary: | ASTERISK-24158: asterisk can't validate wildcard certificate | ||
Reporter: | not here (looserouting) | Labels: | |
Date Opened: | 2014-08-05 08:13:13 | Date Closed: | 2014-08-05 08:47:57 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
Versions: | 11.12.0 | Frequency of Occurrence | Constant |
Related Issues: | |||
Environment: | Attachments: | ( 0) sip.conf | |
Description: | asterisk can't validate wildcard certificate. i.e. validation will fail for CN=*.example.org and hostname=sipsrv.example.org
In main/tcptls.c a simple strcasecmp is done for comparing hostname and common name(CN) of the certificate. | ||
Comments: | By: not here (looserouting) 2014-08-05 08:25:07.132-0500 added simple sip.conf By: not here (looserouting) 2014-08-05 08:39:18.612-0500 the relevant debug info are these 2 lines [Aug 5 15:04:12] DEBUG[9588]: tcptls.c:642 handle_tcptls_connection: SSL Common Name compare s1='secure.dus.net' s2='*.dus.net' [Aug 5 15:04:12] ERROR[9588]: tcptls.c:650 handle_tcptls_connection: Certificate common name did not match (secure.dus.net) By: Leif Madsen (lmadsen) 2014-08-05 08:44:57.507-0500 Should that even work? We've been doing work with SIP TLS lately, and based on our research under the RFCs, wildcard certs are not allowed. By: Bradley Watkins (marquis) 2014-08-05 08:46:18.098-0500 It should not work, per RFC 5922, Section 7.2: Implementations MUST NOT match any form of wildcard, such as a leading "." or "*." with any other DNS label or sequence of labels. For example, "*.example.com" matches only "*.example.com" but not "foo.example.com". Similarly, ".example.com" matches only ".example.com", and does not match "foo.example.com". |