Index: resip/stack/ssl/Security.cxx
===================================================================
--- resip/stack/ssl/Security.cxx (revision 9050)
+++ resip/stack/ssl/Security.cxx (working copy)
@@ -171,6 +171,8 @@
}
+// .amr. RFC 5922 mandates exact match only on certificates, so this is the default, but RFC 2459 and RFC 3261 don't prevent wildcards, so disable if you want that mode.
+bool BaseSecurity::mAllowWildcardCertificates = false;
BaseSecurity::CipherList BaseSecurity::ExportableSuite("!SSLv2:aRSA+AES:aDSS+AES:@STRENGTH:aRSA+3DES:aDSS+3DES:aRSA+RC4+MEDIUM:aDSS+RC4+MEDIUM:aRSA+DES:aDSS+DES:aRSA+RC4:aDSS+RC4");
BaseSecurity::CipherList BaseSecurity::StrongestSuite("!SSLv2:aRSA+AES:aDSS+AES:@STRENGTH:aRSA+3DES:aDSS+3DES");
@@ -2434,12 +2436,22 @@
return Data::Empty;
}
/**
- Matchtes subjectAltName and cnames
- @todo looks incomplete, make better
+ Applies the certificate and domain name matching rules
*/
int
BaseSecurity::matchHostName(const Data& certificateName, const Data& domainName)
{
+ if(mAllowWildcardCertificates)
+ return matchHostNameWithWildcards(certificateName,domainName);
+ return isEqualNoCase(certificateName,domainName);
+}
+/**
+ Does a wildcard match on domain and certificate name
+ @todo looks incomplete, make better
+*/
+int
+BaseSecurity::matchHostNameWithWildcards(const Data& certificateName, const Data& domainName)
+{
const char *dot = NULL;
const char *certName = certificateName.c_str();
Index: resip/stack/ssl/Security.hxx
===================================================================
--- resip/stack/ssl/Security.hxx (revision 9050)
+++ resip/stack/ssl/Security.hxx (working copy)
@@ -167,11 +167,15 @@
static bool isSelfSigned(const X509* cert);
- // match with wildcards
static int matchHostName(const Data& certificateName, const Data& domainName);
// allow particular classes to acces the functions below
// friend class TlsConnection;
+
+ // Allow overriding of RFC 5922 rules on certificate matching.
+ static void setAllowWildcardCertificates(bool bEnable) { mAllowWildcardCertificates = bEnable; }
+ static bool allowWildcardCertificates() { return mAllowWildcardCertificates; }
+
public:
SSL_CTX* getTlsCtx ();
SSL_CTX* getSslCtx ();
@@ -216,6 +220,10 @@
Data getPrivateKeyPEM (PEMType type, const Data& name) const;
Data getPrivateKeyDER (PEMType type, const Data& name) const;
void addPrivateKeyPKEY(PEMType type, const Data& name, EVP_PKEY* pKey, bool write) const;
+
+ // match with wildcards
+ static int matchHostNameWithWildcards(const Data& certificateName, const Data& domainName);
+ static bool mAllowWildcardCertificates;
};
class Security : public BaseSecurity
Index: resip/stack/ssl/TlsConnection.cxx
===================================================================
--- resip/stack/ssl/TlsConnection.cxx (revision 9050)
+++ resip/stack/ssl/TlsConnection.cxx (working copy)
@@ -280,25 +280,12 @@
bool matches = false;
for(std::list<BaseSecurity::PeerName>::iterator it = mPeerNames.begin(); it != mPeerNames.end(); it++)
{
- if(it->mType == BaseSecurity::CommonName)
+ if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
{
- //allow wildcard match for subdomain name (RFC 2459)
- if(BaseSecurity::matchHostName(it->mName, who().getTargetDomain()))
- {
- matches=true;
- break;
- }
- }
- else //it->mType == SubjectAltName
- {
- //no wildcards for SubjectAltName
- if(isEqualNoCase(it->mName, who().getTargetDomain()))
- {
matches=true;
break;
}
}
- }
if(!matches)
{
mTlsState = Broken;