Re: [Users] tls certificate - canonical name checked ???

Hi everybody, According to RFC3261 proxies should possess a site certificate whose subject corresponds to their canonical hostname. In the case of gen_usercert.sh helperscript this must be placed in the "Common Name" field I guess. So when mutual authentication takes place, the two proxies should check the CN of each others certificate. I have a proxy sip.atlanta.com <http://sip.atlanta.com> and another one sip.biloxi.com <http://sip.biloxi.com>. I generated two certificates with CN=hostname. Then I added the rootCA-certs of the other proxy to the calist.pem. It works really fine :-) So I played around and generated certificates with other CNs like badguy.atlanta.com <http://badguy.atlanta.com> or sip.badname.com<http://sip.badname.com>or badguy.badname.com <http://badguy.badname.com> - they don't have either the corresponding hostname or the domainname of the server (or both). I imported one after the other in sip.atlanta.com<http://sip.atlanta.com>- and it still works (tls_init: verify_callback: preverify is good: verify return: 1) :-( So, am I doing something wrong or does OpenSER not validate the host/domainname of the server against the certificate's subject ??? Thanks for hints ! regards, Philipp _______________________________________________ Users mailing list Users(a)openser.org http://openser.org/cgi-bin/mailman/listinfo/users