Re: [Opalvoip-devel] TLS and Wildcard domain

[Robert J. <ro...@vo...>]

Etienne,
  This defeats the purpose of having a TLS connection, so no, there is not a way to do it.

----------
Robert Jongbloed
Vox Lucida Pty. Ltd.




On 13 Jan 2017, at 1:47 pm, Etienne Venot <e....@vo... <mailto:e....@vo...> > wrote:

 

Ok, thanks. It explain why it is not managed.

Do you know how I can configure my OpalManager subclass to not check the certificate validity ? So to have TLS even when the certificate validation failed ?

Regards
 

 
 
On 13/01/2017 13:46, Ankur Deep Jaiswal wrote:
 
 
Hi Etienne, 

 
 
unfortunately SIP does not support wildcard ssl certificate.
 
https://tools.ietf.org/html/rfc5922
 
 

 
 
 

 
On Fri, Jan 13, 2017 at 4:23 PM, Etienne Venot <e....@vo...> wrote:
 Hello,
 
 I try to Register to a SIP Proxy over TLS. The Sip Proxy has a trusted
 widcard certificate installed on it (*.vocalcom.com).
 The connection actually failed and I see that the problems comes from
 transports.cxx, function OpalTransportTLS::IsAuthenticated(const PString
 & domain.
 
 Actually the code return false if the domain name we try to connect is
 not exactly the same that the one of the Alt field of the certificate.
 
 I do a quick fix (perhaps dirty, I'm not sure to manage all cases) :
 
 Instead of
 
    if (domain == (alt.IsEmpty() ? subject.GetCommonName() : alt))
      return true;
 
 
 I do the following code :
 
 PString certDomain = alt.IsEmpty() ? subject.GetCommonName() : alt;

 PString peerDomain = PString(domain);
 
    //Wildcard case
    if (certDomain.Find("*.", 0) == 0) {
        PString domainName = certDomain.Delete(0, 1);
        PTRACE(3, "Test if domain \"" << domain << "\" match wildcard
 Peer certificate: =\"" << domainName << "\"");
 
        //Take only the part of the domain name to test from source domain
        peerDomain = peerDomain.Right(domainName.GetLength());
    }
 
    if (peerDomain == certDomain)
        return true;
 
 
 Regards
 
 Etienne Venot
 
 ------------------------------------------------------------------------------
 Developer Access Program for Intel Xeon Phi Processors
 Access to Intel Xeon Phi processor-based developer platforms.
 With one year of Intel Parallel Studio XE.
 Training and support from Colfax.
 Order your platform today. http://sdm.link/xeonphi
 _______________________________________________
 Opalvoip-devel mailing list
 Opa...@li...
 https://lists.sourceforge.net/lists/listinfo/opalvoip-devel
 
 
 
 

 
 -- 
 
 
Regards
 

 
 
Ankur Deep Jaiswal
 Software Architect
 Techgentsia Software Technologies Private Limited
 Ernakulam
 
 
 
 
 
 

------------------------------------------------------------------------------

Developer Access Program for Intel Xeon Phi Processors

Access to Intel Xeon Phi processor-based developer platforms.

With one year of Intel Parallel Studio XE.

Training and support from Colfax.

Order your platform today. http://sdm.link/xeonphi <http://sdm.link/xeonphi> 


_______________________________________________

Opalvoip-devel mailing list

Opa...@li... <mailto:Opa...@li...> 

https://lists.sourceforge.net/lists/listinfo/opalvoip-devel