[asterisk-bugs] [JIRA] (ASTERISK-24847) [security] [patch] tcptls: certificate CN NULL byte prefix bug

Asterisk Team (JIRA) noreply at issues.asterisk.org
Wed Jul 27 10:26:02 CDT 2016


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-24847:
-------------------------------------

    Target Release Version/s: 14.0.0

> [security] [patch] tcptls: certificate CN NULL byte prefix bug
> --------------------------------------------------------------
>
>                 Key: ASTERISK-24847
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24847
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>            Reporter: Matt Jordan
>            Assignee: Jonathan Rose
>              Labels: Security
>      Target Release: 11.18.0, 13.4.0, 14.0.0
>
>         Attachments: asterisk-null-in-cn.patch
>
>
> host{quote}
> Hello,
> Asterisk contain certificate common name NULL byte prefix bug in tcptls.c.
> Specifically, if presented certificate has a Common Name of format "host.com\x00.somedomain.com" the certificate will
> be accepted for host.com despite being issued for somedomain.com.
> Attached is proposed patch (generated against asterisk-11.15.0).
> Verified with SIP TLS transport - without the patch such certificates are accepted,
> with the patch applied they are rejected due to CN length mismatch.
> Best regards,
> Maciej Szmigiero
> {quote}



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list