[SR-Users] Using wildcard certificates for Kamailio server

Henning Westerholt hw at skalatan.de
Fri Aug 7 10:52:46 CEST 2020


Hello,

there are some user agents that are logging errors (like pjsip) for wild card certificates or even not supporting it. But several major operators using it, so it works good with Kamailio, of course.

Cheers,

Henning

--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com<https://gilawa.com/>

From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of Daniel-Constantin Mierla
Sent: Friday, August 7, 2020 10:08 AM
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>; Leonid Fainshtein <leonid.fainshtein at xorcom.com>
Subject: Re: [SR-Users] Using wildcard certificates for Kamailio server


Hello,

I was not aware of this constraint and I used wildcard certificates so far with Kamailio and all was ok.

If you want to be strict on this RFC, then you can do additional checks in the config file, because the validation of tls certificate is performed by libssl and it returns ok for wildcard certificates. There might be options for libssl to disable wildcard matching, but I haven't looked for.

Cheers,
Daniel
On 06.08.20 14:37, Leonid Fainshtein wrote:
Hello,
Is it permitted to use the wildcard TLS certificates for Kamailio server?
In reality, it works (tested with v.5.4) but the RFC-5922 disables the wildcard certificates usage:

"Implementations MUST match the values in their entirety:

         Implementations MUST NOT match suffixes.  For example,

         "foo.example.com<http://foo.example.com>" does not match "example.com<http://example.com>".



         Implementations MUST NOT match any form of wildcard, such as a

         leading "." or "*." with any other DNS label or sequence of

         labels.  For example, "*.example.com<http://example.com>" matches only

         "*.example.com<http://example.com>" but not "foo.example.com<http://foo.example.com>".  Similarly,

         ".example.com<http://example.com>" matches only ".example.com<http://example.com>", and does not match

         "foo.example.com<http://foo.example.com>".
(Ref.:https://tools.ietf.org/html/rfc5922#section-7.2)
To be honest, I don't understand why this restriction is good for...
Is somebody aware of a newer RFC that removes this limitation?

Best regards,
Leonid Fainshtein



_______________________________________________

Kamailio (SER) - Users Mailing List

sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>

https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

--

Daniel-Constantin Mierla -- www.asipto.com<http://www.asipto.com>

www.twitter.com/miconda<http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda<http://www.linkedin.com/in/miconda>

Funding: https://www.paypal.me/dcmierla
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200807/dc03bea2/attachment.htm>


More information about the sr-users mailing list