[Users] tls certificate - canonical name checked ???
Alexander Ph. Lintenhofer
lintenhofer at aon.at
Mon Oct 10 23:35:09 CEST 2005
Hi everybody,
According to RFC3261 proxies should possess a site certificate whose
subject corresponds to their canonical hostname.
In the case of gen_usercert.sh helperscript this must be placed in the
"Common Name" field I guess.
So when mutual authentication takes place, the two proxies should check
the CN of each others certificate.
I have a proxy sip.atlanta.com and another one sip.biloxi.com. I
generated two certificates with CN=hostname. Then I added the
rootCA-certs of the other proxy to the calist.pem. It works really fine :-)
So I played around and generated certificates with other CNs like
badguy.atlanta.com or sip.badname.com or badguy.badname.com - they don't
have either the corresponding hostname or the domainname of the server
(or both). I imported one after the other in sip.atlanta.com - and it
still works (tls_init: verify_callback: preverify is good: verify
return: 1) :-(
So, am I doing something wrong or does OpenSER not validate the
host/domainname of the server against the certificate's subject ???
Thanks for hints !
regards,
Philipp
More information about the sr-users
mailing list