<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi<div class=""><br class=""></div><div class="">(At a quick read) That RFC restriction is crazy!</div><div class=""><br class=""></div><div class="">As Daniel says, you can code whatever you want on the Kamailio end.  </div><div class=""><br class=""></div><div class="">My thoughts are drifting towards the phone/users end, and wondering about them rejecting a wildcard certificate on the server because their developer has implemented to the letter of the RFC.</div><div class=""><br class=""></div><div class="">However there’s also talk of DNS there and no talk of subject-name vs alternatives.  So I’m wondering if this would pass the RFC rules;</div><div class=""><br class=""></div><div class="">IP: 1.2.3.4 which resolves to <a href="http://sip.myserver.com" class="">server42.sip.myserver.com</a></div><div class=""><br class=""></div><div class="">SIP Domain: <a href="http://customer1.sip.mysever.com" class="">customer1.pbxhost.com</a></div><div class=""><br class=""></div><div class="">Certificate;</div><div class="">Subject Name : <a href="http://sip.myserver.com" class="">server42.sip.myserver.com</a><br class="">Alternative Name : *.<a href="http://pbxhost.com" class="">pbxhost.com</a></div><div class=""><br class=""></div><div class="">Which means DNS can fully match the FQDN in the certificates subject name, and everything else is covered by the alternative name</div><div class=""><br class=""></div><div class="">...maybe?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Mark<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 7 Aug 2020, at 09:08, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">

  <div class=""><p class="">Hello,</p><p class="">I was not aware of this constraint and I used wildcard

      certificates so far with Kamailio and all was ok.</p><p class="">If you want to be strict on this RFC, then you can do additional

      checks in the config file, because the validation of tls

      certificate is performed by libssl and it returns ok for wildcard

      certificates. There might be options for libssl to disable

      wildcard matching, but I haven't looked for.</p><p class="">Cheers,<br class="">

      Daniel<br class="">

    </p>

    <div class="moz-cite-prefix">On 06.08.20 14:37, Leonid Fainshtein

      wrote:<br class="">

    </div>

    <blockquote type="cite" cite="mid:CAJr_9TYdzeaOG=TFfUi81SUY4yjiRJeA9+mkcAkmrq9NH2OV0g@mail.gmail.com" class="">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">

      <div dir="ltr" class="">

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hello,<br clear="all" class="">

        </div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Is it permitted

          to use the wildcard TLS certificates for Kamailio server?</div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">In reality, it

          works (tested with v.5.4) but the RFC-5922 disables the

          wildcard certificates usage:</div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br class="">

        </div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">"<span style="font-family:Arial,Helvetica,sans-serif" class="">Implementations

            MUST match the values in their entirety:</span></div>

        <pre class="gmail-newpage">         Implementations MUST NOT match suffixes.  For example,

         "<a href="http://foo.example.com/" moz-do-not-send="true" class="">foo.example.com</a>" does not match "<a href="http://example.com/" moz-do-not-send="true" class="">example.com</a>".

         Implementations MUST NOT match any form of wildcard, such as a

         leading "." or "*." with any other DNS label or sequence of

         labels.  For example, "*.<a href="http://example.com/" moz-do-not-send="true" class="">example.com</a>" matches only

         "*.<a href="http://example.com/" moz-do-not-send="true" class="">example.com</a>" but not "<a href="http://foo.example.com/" moz-do-not-send="true" class="">foo.example.com</a>".  Similarly,

         ".<a href="http://example.com/" moz-do-not-send="true" class="">example.com</a>" matches only ".<a href="http://example.com/" moz-do-not-send="true" class="">example.com</a>", and does not match

         "<a href="http://foo.example.com/" moz-do-not-send="true" class="">foo.example.com</a>".

</pre>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">(Ref.:<a href="https://tools.ietf.org/html/rfc5922#section-7.2" moz-do-not-send="true" class="">https://tools.ietf.org/html/rfc5922#section-7.2</a>)</div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">To be honest, I

          don't understand why this restriction is good for...</div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Is somebody

          aware of a newer RFC that removes this limitation?</div>

        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br class="">

        </div>

        <div class="">

          <div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Best regards,<br class="">

            Leonid Fainshtein<br class="">

            <br class="">

          </div>

        </div>

      </div>

      <br class="">

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Kamailio (SER) - Users Mailing List

<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>

<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>

</pre>

    </blockquote>

    <pre class="moz-signature" cols="72">-- 

Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/">www.asipto.com</a>

<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>

Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>

  </div>

_______________________________________________<br class="">Kamailio (SER) - Users Mailing List<br class=""><a href="mailto:sr-users@lists.kamailio.org" class="">sr-users@lists.kamailio.org</a><br class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users<br class=""></div></blockquote></div><br class=""></div></body></html>