Is there some means to get access to local and peer ssl certificate X509v3 Subject Alternative Name value?
For example, if there is this in certificate:
Subject: CN=foo.bar.com
X509v3 Subject Alternative Name: DNS:foo.bar.com, DNS:foo.car.com, DNS:car.com
$tls_my_san_hostname produces only foo.bar.com.
-- Juha
Hello,
haven't tested nor looked at source code -- have you tried to see if it works with index (e.g, $tls_my_san_hostname[2])?
Cheers, Daniel
On 11/07/16 15:17, Juha Heinanen wrote:
Is there some means to get access to local and peer ssl certificate X509v3 Subject Alternative Name value?
For example, if there is this in certificate:
Subject: CN=foo.bar.com X509v3 Subject Alternative Name: DNS:foo.bar.com, DNS:foo.car.com, DNS:car.com$tls_my_san_hostname produces only foo.bar.com.
-- Juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 12/07/16 20:03, Juha Heinanen wrote:
Daniel-Constantin Mierla writes:
haven't tested nor looked at source code -- have you tried to see if it works with index (e.g, $tls_my_san_hostname[2])?
$var(san) = $tls_my_san_hostname[2];
results in $var(san) == 0.
The right format to try for a variable with index would have been $(tls_my_san_hostname[2]) -- have you tried that, too?
Daniel
Daniel-Constantin Mierla writes:
The right format to try for a variable with index would have been $(tls_my_san_hostname[2]) -- have you tried that, too?
$var(san2) = $(tls_my_san_hostname[2]); xlog("L_INFO", "*********** $var(san2)\n");
produces:
Jul 13 09:51:44 sars sip-proxy[7486]: 0(7537) ERROR: <core> [pvapi.c:918]: pv_parse_spec2(): pvar "tls_my_san_hostname" does not get index param Jul 13 09:51:44 sars sip-proxy[7486]: 0(7537) ERROR: <core> [pvapi.c:1032]: pv_parse_spec2(): wrong char [1/49] in [$(tls_my_san_hostname[1])] at [22 (3)]
same with ls_pee_san_hostname.
Peer sip proxy may serve many domains lists those as alt names in its certificate. Another peer may be interested in only one of those domains and needs to check if that domain is listed in the certificate. That is why it would be useful to get access to all alt names listed in the peer certificate.
-- Juha
On 13/07/16 08:56, Juha Heinanen wrote:
Daniel-Constantin Mierla writes:
The right format to try for a variable with index would have been $(tls_my_san_hostname[2]) -- have you tried that, too?
$var(san2) = $(tls_my_san_hostname[2]); xlog("L_INFO", "*********** $var(san2)\n");produces:
Jul 13 09:51:44 sars sip-proxy[7486]: 0(7537) ERROR: <core> [pvapi.c:918]: pv_parse_spec2(): pvar "tls_my_san_hostname" does not get index param Jul 13 09:51:44 sars sip-proxy[7486]: 0(7537) ERROR: <core> [pvapi.c:1032]: pv_parse_spec2(): wrong char [1/49] in [$(tls_my_san_hostname[1])] at [22 (3)]
same with ls_pee_san_hostname.
Peer sip proxy may serve many domains lists those as alt names in its certificate. Another peer may be interested in only one of those domains and needs to check if that domain is listed in the certificate. That is why it would be useful to get access to all alt names listed in the peer certificate.
It's clear that the variable was not developed with array access in mind as it doesn't support indexes. You should open a feature request, someone has to write some c code to get it done.
Cheers, Daniel
-
Daniel-Constantin Mierla -
Juha Heinanen