git.ipfire.org Git - thirdparty/asterisk.git/commit

author	Kevin Harwell <kharwell@sangoma.com>
	Thu, 26 May 2022 20:21:33 +0000 (15:21 -0500)
committer	Kevin Harwell <kharwell@digium.com>
	Thu, 30 Jun 2022 21:53:53 +0000 (16:53 -0500)
commit	628661ca42ac32a83e5c006174788c9bfc178c4a
tree	b61d7ff37fa16739f173102cc647cd645cee00f0	tree \| snapshot
parent	c76a107cdf694f30451e89f72876aeb6a19bd304	commit \| diff

res_pjsip: allow TLS verification of wildcard cert-bearing servers

Rightly the use of wildcards in certificates is disallowed in accordance
with RFC5922. However, RFC2818 does make some allowances with regards to
their use when using subject alt names with DNS name types.

As such this patch creates a new setting for TLS transports called
'allow_wildcard_certs', which when it and 'verify_server' are both enabled
allows DNS name types, as well as the common name that start with '*.'
to match as a wildcard.

For instance: *.example.com
will match for: foo.example.com

Partial matching is not allowed, e.g. f*.example.com, foo.*.com, etc...
And the starting wildcard only matches for a single level.

For instance: *.example.com
will NOT match for: foo.bar.example.com

The new setting is disabled by default.

ASTERISK-30072 #close

Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4

configs/samples/pjsip.conf.sample		diff \| blob \| blame \| history
contrib/ast-db-manage/config/versions/58e440314c2a_allow_wildcard_certs.py	[new file with mode: 0644]	blob
doc/CHANGES-staging/allow_wildcard_certs.txt	[new file with mode: 0644]	blob
include/asterisk/res_pjsip.h		diff \| blob \| blame \| history
res/res_pjsip/config_transport.c		diff \| blob \| blame \| history
res/res_pjsip/pjsip_config.xml		diff \| blob \| blame \| history
res/res_pjsip/pjsip_transport_events.c		diff \| blob \| blame \| history