Summary:ASTERISK-17719: SIP TLS certificates should be verified according to RFC 5922
Reporter:Terry Wilson (twilson)Labels:
Date Opened:2011-04-19 13:05:24Date Closed:2017-10-11 11:18:42
Versions:Frequency of
Description:Asterisk currently uses the Common Name in an X509 certificate to test for validity. According to RFC 5922, it is preferable to use the SubjectAltNames to test for DNS, user, and domain names and only fall back to Common Name as a last resort. Asterisk failed several tests at SIPit 28 due to its lack of ability in this area.

****** STEPS TO REPRODUCE ******

Make an outbound registration to a SIP server using a domain name that is only found in a SubjectAltName in their certificate. Watch Asterisk fail to set up the call.
Comments:By: Bernhard Schmidt (bschmidt) 2016-12-20 16:48:28.913-0600

I think this was fixed a while ago, duplicate of ASTERISK-25063?

2015-05-14 17:12 +0000 [7b96e8cc3d]  Maciej Szmigiero <mail@maciej.szmigiero.name>

* Add X.509 subject alternative name support to TLS certificate

 This way one X.509 certificate can be used for hosts that
 can be reached under multiple DNS names or for multiple hosts.

 Signed-off-by: Maciej Szmigiero <mail@maciej.szmigiero.name>

 ASTERISK-25063 #close

 Change-Id: I13302c80490a0b44c43f1b45376c9bd7b15a538f

By: Corey Farrell (coreyfarrell) 2017-10-11 11:18:42.203-0500

Closing as I believe this was fixed by ASTERISK-25063.