Hi everybody,
According to RFC3261 proxies should possess a site certificate whose subject corresponds to their canonical hostname. In the case of gen_usercert.sh helperscript this must be placed in the "Common Name" field I guess. So when mutual authentication takes place, the two proxies should check the CN of each others certificate.
I have a proxy sip.atlanta.com and another one sip.biloxi.com. I generated two certificates with CN=hostname. Then I added the rootCA-certs of the other proxy to the calist.pem. It works really fine :-) So I played around and generated certificates with other CNs like badguy.atlanta.com or sip.badname.com or badguy.badname.com - they don't have either the corresponding hostname or the domainname of the server (or both). I imported one after the other in sip.atlanta.com - and it still works (tls_init: verify_callback: preverify is good: verify return: 1) :-(
So, am I doing something wrong or does OpenSER not validate the host/domainname of the server against the certificate's subject ???
Thanks for hints !
regards, Philipp