<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hello,</p>

    <p>I was not aware of this constraint and I used wildcard

      certificates so far with Kamailio and all was ok.</p>

    <p>If you want to be strict on this RFC, then you can do additional

      checks in the config file, because the validation of tls

      certificate is performed by libssl and it returns ok for wildcard

      certificates. There might be options for libssl to disable

      wildcard matching, but I haven't looked for.</p>

    <p>Cheers,<br>

      Daniel<br>

    </p>

    <div class="moz-cite-prefix">On 06.08.20 14:37, Leonid Fainshtein

      wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAJr_9TYdzeaOG=TFfUi81SUY4yjiRJeA9+mkcAkmrq9NH2OV0g@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">Hello,<br

            clear="all">

        </div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">Is it permitted

          to use the wildcard TLS certificates for Kamailio server?</div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">In reality, it

          works (tested with v.5.4) but the RFC-5922 disables the

          wildcard certificates usage:</div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif"><br>

        </div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">"<span

            style="font-family:Arial,Helvetica,sans-serif">Implementations

            MUST match the values in their entirety:</span></div>

        <pre class="gmail-newpage">         Implementations MUST NOT match suffixes.  For example,

         "<a href="http://foo.example.com" moz-do-not-send="true">foo.example.com</a>" does not match "<a href="http://example.com" moz-do-not-send="true">example.com</a>".

         Implementations MUST NOT match any form of wildcard, such as a

         leading "." or "*." with any other DNS label or sequence of

         labels.  For example, "*.<a href="http://example.com" moz-do-not-send="true">example.com</a>" matches only

         "*.<a href="http://example.com" moz-do-not-send="true">example.com</a>" but not "<a href="http://foo.example.com" moz-do-not-send="true">foo.example.com</a>".  Similarly,

         ".<a href="http://example.com" moz-do-not-send="true">example.com</a>" matches only ".<a href="http://example.com" moz-do-not-send="true">example.com</a>", and does not match

         "<a href="http://foo.example.com" moz-do-not-send="true">foo.example.com</a>".

</pre>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">(Ref.:<a

            href="https://tools.ietf.org/html/rfc5922#section-7.2"

            moz-do-not-send="true">https://tools.ietf.org/html/rfc5922#section-7.2</a>)</div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">To be honest, I

          don't understand why this restriction is good for...</div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif">Is somebody

          aware of a newer RFC that removes this limitation?</div>

        <div class="gmail_default"

          style="font-family:arial,helvetica,sans-serif"><br>

        </div>

        <div>

          <div dir="ltr" class="gmail_signature"

            data-smartmail="gmail_signature">Best regards,<br>

            Leonid Fainshtein<br>

            <br>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Kamailio (SER) - Users Mailing List

<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>

<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>

</pre>

    </blockquote>

    <pre class="moz-signature" cols="72">-- 

Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>

<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>

Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>

  </body>

</html>