mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-25 14:06:27 +00:00 
			
		
		
		
	res_pjsip: allow TLS verification of wildcard cert-bearing servers
Rightly the use of wildcards in certificates is disallowed in accordance with RFC5922. However, RFC2818 does make some allowances with regards to their use when using subject alt names with DNS name types. As such this patch creates a new setting for TLS transports called 'allow_wildcard_certs', which when it and 'verify_server' are both enabled allows DNS name types, as well as the common name that start with '*.' to match as a wildcard. For instance: *.example.com will match for: foo.example.com Partial matching is not allowed, e.g. f*.example.com, foo.*.com, etc... And the starting wildcard only matches for a single level. For instance: *.example.com will NOT match for: foo.bar.example.com The new setting is disabled by default. ASTERISK-30072 #close Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4
This commit is contained in:
		
				
					committed by
					
						 Kevin Harwell
						Kevin Harwell
					
				
			
			
				
	
			
			
			
						parent
						
							93644fca59
						
					
				
				
					commit
					0ddbf6bc45
				
			| @@ -0,0 +1,29 @@ | ||||
| """allow_wildcard_certs | ||||
|  | ||||
| Revision ID: 58e440314c2a | ||||
| Revises: 18e0805d367f | ||||
| Create Date: 2022-05-12 12:15:55.343743 | ||||
|  | ||||
| """ | ||||
|  | ||||
| # revision identifiers, used by Alembic. | ||||
| revision = '58e440314c2a' | ||||
| down_revision = '18e0805d367f' | ||||
|  | ||||
| from alembic import op | ||||
| import sqlalchemy as sa | ||||
| from sqlalchemy.dialects.postgresql import ENUM | ||||
|  | ||||
| YESNO_NAME = 'yesno_values' | ||||
| YESNO_VALUES = ['yes', 'no'] | ||||
|  | ||||
| def upgrade(): | ||||
|     yesno_values = ENUM(*YESNO_VALUES, name=YESNO_NAME, create_type=False) | ||||
|  | ||||
|     op.add_column('ps_transports', sa.Column('allow_wildcard_certs', type_=yesno_values)) | ||||
|  | ||||
|  | ||||
| def downgrade(): | ||||
|     if op.get_context().bind.dialect.name == 'mssql': | ||||
|         op.drop_constraint('ck_ps_transports_allow_wildcard_certs_yesno_values', 'ps_transports') | ||||
|     op.drop_column('ps_transports', 'allow_wildcard_certs') | ||||
		Reference in New Issue
	
	Block a user