ASTERISK-25063: [patch]add X.509 subject alternative name support to Asterisk TLS support

[Home]

Summary: ASTERISK-25063: [patch]add X.509 subject alternative name support to Asterisk TLS support

Reporter: Maciej Szmigiero (mhej) Labels:

Date Opened: 2015-05-05 17:30:27 Date Closed: 2015-05-17 14:39:27

Priority: Minor Regression?

Status: Closed/Complete Components: Core/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) asterisk-cert-alt-names.patch

Description: This patch adds X.509 subject alternative name support to Asterisk TLS support.

This way one X.509 certificate can be used for hosts that can be reached under multiple DNS names or for multiple hosts.

Currently the code seems to accept multiple subject (CN) fields instead, however according to Mozilla this is not a correct behavior as only the most specific one should be used: https://bugzilla.mozilla.org/show_bug.cgi?id=380656

Comments: By: Rusty Newton (rnewton) 2015-05-07 18:37:37.703-0500

Thanks for the contribution! If you'd like your contribution to be included faster, you should submit your patch for code review by the Asterisk Developer Community. To do so, please follow the Code Review [1] instructions on the wiki. Be sure to:
* Verify that your patch conforms to the Coding Guidelines [2]
* Review the Code Review Checklist [3] for common items reviewers will look for
* If necessary, provide tests for the Asterisk Test Suite that verify the correctness of your patch [4]

When ready, submit your patch and any tests to Gerrit [5] for code review.

Thanks!

[1] https://wiki.asterisk.org/wiki/display/AST/Code+Review
[2] https://wiki.asterisk.org/wiki/display/AST/Coding+Guidelines
[3] https://wiki.asterisk.org/wiki/display/AST/Code+Review+Checklist
[4] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Test+Suite+Documentation
[5] https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage

By: Maciej Szmigiero (mhej) 2015-05-08 14:47:01.536-0500

Thanks for looking into it, I've submitted patch via Gerrit.

As far as I can see there is currently no test for Asterisk's TLS support certificate verification as both sip_tls_call and sip_tls_register have
tlsdontverifyserver set to yes.

By: Rusty Newton (rnewton) 2015-05-17 14:39:27.427-0500

Fix was merged so I'm closing this out. Auto-close wasn't working.
By: Friendly Automation (friendly-automation) 2016-11-16 13:15:10.972-0600

Change 4451 merged by Joshua Colp:
Add X.509 subject alternative name support to TLS certificate verification.

[https://gerrit.asterisk.org/4451|https://gerrit.asterisk.org/4451]