If there are no complaints, I will commit sometime this week.
Index: resip/stack/ssl/TlsConnection.cxx
===================================================================
--- resip/stack/ssl/TlsConnection.cxx (revision 9058)
+++ resip/stack/ssl/TlsConnection.cxx (working copy)
@@ -24,6 +24,8 @@
#define RESIPROCATE_SUBSYSTEM Subsystem::TRANSPORT
+bool TlsConnection::mRFC5922CertificateRules = false;
+
TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple,
Socket fd, Security* security,
bool server, Data domain, SecurityTypes::SSLType sslType ,
@@ -280,25 +282,21 @@
bool matches = false;
for(std::list<BaseSecurity::PeerName>::iterator it = mPeerNames.begin(); it != mPeerNames.end(); it++)
{
- if(it->mType == BaseSecurity::CommonName)
+ if(mRFC5922CertificateRules)
{
- //allow wildcard match for subdomain name (RFC 2459)
- if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
+ if(isEqualNoCase(it->mName, who().getTargetDomain()))
{
matches=true;
break;
}
}
- else //it->mType == SubjectAltName
- {
- //no wildcards for SubjectAltName
- if(isEqualNoCase(it->mName, who().getTargetDomain()))
+ //.amr. allow wildcard match (RFC 2459), RFC 3261 doesn't prevent wildcards.
+ else if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
{
matches=true;
break;
}
}
- }
if(!matches)
{
mTlsState = Broken;
Index: resip/stack/ssl/TlsConnection.hxx
===================================================================
--- resip/stack/ssl/TlsConnection.hxx (revision 9057)
+++ resip/stack/ssl/TlsConnection.hxx (working copy)
@@ -48,6 +48,8 @@
typedef enum TlsState { Initial, Broken, Handshaking, Up } TlsState;
static const char * fromState(TlsState);
+ static bool RFC5922CertificateRules() { return mRFC5922CertificateRules; }
+ static void setRFC5922CertificateRules(bool bEnable) { mRFC5922CertificateRules = bEnable; }
private:
/// No default c'tor
@@ -67,6 +69,7 @@
SSL* mSsl;
BIO* mBio;
std::list<BaseSecurity::PeerName> mPeerNames;
+ static bool mRFC5922CertificateRules;
};
}