Re: [Opalvoip-devel] TLS and Wildcard domain

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ok, thanks. It explain why it is not managed.

Do you know how I can configure my OpalManager subclass to not check the 
certificate validity ? So to have TLS even when the certificate 
validation failed ?

Regards

On 13/01/2017 13:46, Ankur Deep Jaiswal wrote:
> Hi Etienne,
>
> unfortunately SIP does not support wildcard ssl certificate.
> https://tools.ietf.org/html/rfc5922
>
>
> On Fri, Jan 13, 2017 at 4:23 PM, Etienne Venot <e....@vo... 
> <mailto:e....@vo...>> wrote:
>
>     Hello,
>
>     I try to Register to a SIP Proxy over TLS. The Sip Proxy has a trusted
>     widcard certificate installed on it (*.vocalcom.com
>     <http://vocalcom.com>).
>     The connection actually failed and I see that the problems comes from
>     transports.cxx, function OpalTransportTLS::IsAuthenticated(const
>     PString
>     & domain.
>
>     Actually the code return false if the domain name we try to connect is
>     not exactly the same that the one of the Alt field of the certificate.
>
>     I do a quick fix (perhaps dirty, I'm not sure to manage all cases) :
>
>     Instead of
>
>        if (domain == (alt.IsEmpty() ? subject.GetCommonName() : alt))
>          return true;
>
>
>     I do the following code :
>
>     PString certDomain = alt.IsEmpty() ? subject.GetCommonName() : alt;
>     PString peerDomain = PString(domain);
>
>        //Wildcard case
>        if (certDomain.Find("*.", 0) == 0) {
>            PString domainName = certDomain.Delete(0, 1);
>            PTRACE(3, "Test if domain \"" << domain << "\" match wildcard
>     Peer certificate: =\"" << domainName << "\"");
>
>            //Take only the part of the domain name to test from source
>     domain
>            peerDomain = peerDomain.Right(domainName.GetLength());
>        }
>
>        if (peerDomain == certDomain)
>            return true;
>
>
>     Regards
>
>     Etienne Venot
>
>     ------------------------------------------------------------------------------
>     Developer Access Program for Intel Xeon Phi Processors
>     Access to Intel Xeon Phi processor-based developer platforms.
>     With one year of Intel Parallel Studio XE.
>     Training and support from Colfax.
>     Order your platform today. http://sdm.link/xeonphi
>     _______________________________________________
>     Opalvoip-devel mailing list
>     Opa...@li...
>     <mailto:Opa...@li...>
>     https://lists.sourceforge.net/lists/listinfo/opalvoip-devel
>     <https://lists.sourceforge.net/lists/listinfo/opalvoip-devel>
>
>
>
>
> -- 
> Regards
>
> Ankur Deep Jaiswal
> Software Architect
> Techgentsia Software Technologies Private Limited
> Ernakulam