[Asterisk-code-review] res_pjsip: allow TLS verification of wildcard cert-bearing servers (asterisk[16])
Kevin Harwell
asteriskteam at digium.com
Thu Jun 9 12:01:57 CDT 2022
Attention is currently required from: N A.
Hello Joshua Colp, Friendly Automation,
I'd like you to reexamine a change. Please visit
https://gerrit.asterisk.org/c/asterisk/+/18572
to look at the new patch set (#4).
Change subject: res_pjsip: allow TLS verification of wildcard cert-bearing servers
......................................................................
res_pjsip: allow TLS verification of wildcard cert-bearing servers
Rightly the use of wildcards in certificates is disallowed in accordance
with RFC5922. However, RFC2818 does make some allowances with regards to
their use when using subject alt names with DNS name types.
As such this patch creates a new setting for TLS transports called
'allow_wildcard_certs', which when it and 'verify_server' are both enabled
allows DNS name types, as well as the common name that start with '*.'
to match as a wildcard.
For instance: *.example.com
will match for: foo.example.com
Partial matching is not allowed, e.g. f*.example.com, foo.*.com, etc...
And the starting wildcard only matches for a single level.
For instance: *.example.com
will NOT match for: foo.bar.example.com
The new setting is disabled by default.
ASTERISK-30072 #close
Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4
---
M configs/samples/pjsip.conf.sample
A contrib/ast-db-manage/config/versions/58e440314c2a_allow_wildcard_certs.py
A doc/CHANGES-staging/allow_wildcard_certs.txt
M include/asterisk/res_pjsip.h
M res/res_pjsip/config_transport.c
M res/res_pjsip/pjsip_config.xml
M res/res_pjsip/pjsip_transport_events.c
7 files changed, 218 insertions(+), 2 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/72/18572/4
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/18572
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4
Gerrit-Change-Number: 18572
Gerrit-PatchSet: 4
Gerrit-Owner: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-CC: N A <mail at interlinked.x10host.com>
Gerrit-Attention: N A <mail at interlinked.x10host.com>
Gerrit-MessageType: newpatchset
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20220609/5aad46d1/attachment.html>
More information about the asterisk-code-review
mailing list