res_pjsip: allow TLS verification of wildcard cert-bearing servers

Rightly the use of wildcards in certificates is disallowed in accordance with RFC5922. However, RFC2818 does make some allowances with regards to their use when using subject alt names with DNS name types. As such this patch creates a new setting for TLS transports called 'allow_wildcard_certs', which when it and 'verify_server' are both enabled allows DNS name types, as well as the common name that start with '*.' to match as a wildcard. For instance: *.example.com will match for: foo.example.com Partial matching is not allowed, e.g. f*.example.com, foo.*.com, etc... And the starting wildcard only matches for a single level. For instance: *.example.com will NOT match for: foo.bar.example.com The new setting is disabled by default. ASTERISK-30072 #close Change-Id: If0be3fdab2e09c2a66bb54824fca406ebaac3da4
2025-09-03 11:25:35 +00:00 · 2022-05-26 15:21:33 -05:00
parent c76a107cdf
commit 628661ca42
7 changed files with 218 additions and 2 deletions
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -155,6 +155,14 @@ struct ast_sip_transport_state {
 	 * \since 13.18.0
 	 */
 	struct ast_sockaddr external_media_address;
+	/*!
+	 * Disregard RFC5922 7.2, and allow wildcard certs (TLS only)
+	 */
+	int allow_wildcard_certs;
+	/*!
+	 * If true, fail if server certificate cannot verify (TLS only)
+	 */
+	int verify_server;
 };

 #define ast_sip_transport_is_nonlocal(transport_state, addr) \