mirror of
https://github.com/asterisk/asterisk.git
synced 2025-09-29 18:19:30 +00:00
a02fc685a8
* Fixed a bug in crypto_show_cli_store that was causing asterisk
to crash if there were certificate revocation lists in the
verification certificate store. We're also now prefixing
certificates with "Cert:" and CRLs with "CRL:" to distinguish them
in the list.
* Added 'untrusted_cert_file' and 'untrusted_cert_path' options
to both verification and profile objects. If you have CRLs that
are signed by a different CA than the incoming X5U certificate
(indirect CRL), you'll need to provide the certificate of the
CRL signer here. Thse will show up as 'Untrusted" when showing
the verification or profile objects.
* Fixed loading of crl_path. The OpenSSL API we were using to
load CRLs won't actually load them from a directory, only a file.
We now scan the directory ourselves and load the files one-by-one.
* Fixed the verification flags being set on the certificate store.
- Removed the CRL_CHECK_ALL flag as this was causing all certificates
to be checked for CRL extensions and failing to verify the cert if
there was none. This basically caused all certs to fail when a CRL
was provided via crl_file or crl_path.
- Added the EXTENDED_CRL_SUPPORT flag as it is required to handle
indirect CRLs.
* Added a new CLI command...
`stir_shaken verify certificate_file <certificate_file> [ <profile> ]`
which will assist troubleshooting certificate problems by allowing
the user to manually verify a certificate file against either the
global verification certificate store or the store for a specific
profile.
* Updated the XML documentation and the sample config file.
Resolves: #809