[asterisk-bugs] [JIRA] (ASTERISK-17719) SIP TLS certificates should be verified according to RFC 5922
Bernhard Schmidt (JIRA)
noreply at issues.asterisk.org
Tue Dec 20 16:50:10 CST 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-17719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=234319#comment-234319 ]
Bernhard Schmidt commented on ASTERISK-17719:
---------------------------------------------
I think this was fixed a while ago, duplicate of ASTERISK-25063?
{noformat}
2015-05-14 17:12 +0000 [7b96e8cc3d] Maciej Szmigiero <mail at maciej.szmigiero.name>
* Add X.509 subject alternative name support to TLS certificate
verification.
This way one X.509 certificate can be used for hosts that
can be reached under multiple DNS names or for multiple hosts.
Signed-off-by: Maciej Szmigiero <mail at maciej.szmigiero.name>
ASTERISK-25063 #close
Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f
{noformat}
> SIP TLS certificates should be verified according to RFC 5922
> -------------------------------------------------------------
>
> Key: ASTERISK-17719
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-17719
> Project: Asterisk
> Issue Type: Bug
> Components: Channels/chan_sip/TCP-TLS
> Reporter: Terry Wilson
> Assignee: Terry Wilson
> Severity: Minor
>
> Asterisk currently uses the Common Name in an X509 certificate to test for validity. According to RFC 5922, it is preferable to use the SubjectAltNames to test for DNS, user, and domain names and only fall back to Common Name as a last resort. Asterisk failed several tests at SIPit 28 due to its lack of ability in this area.
> ****** STEPS TO REPRODUCE ******
> Make an outbound registration to a SIP server using a domain name that is only found in a SubjectAltName in their certificate. Watch Asterisk fail to set up the call.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list