[SIP Beyond VoIP] TLS certificate of sip2sip.info is "wrong"

Adrian Georgescu ag at ag-projects.com
Wed Jan 22 15:28:15 CET 2014


Hi Inaki,

I believe the cert is bound to the A record where the client attempts to connect after NAPTR and SRV record lookups. A domain is served by different A records for different services and the client should use the A record name for validation rather than the original domain.

Adrian

On 22 Jan 2014, at 12:24, Iñaki Baz Castillo <ibc at aliax.net> wrote:

> Hi,
> 
> After NAPTR / SRV procedures, sip2sip.info domain points to host
> proxy.sipthor.net and port 443 for SIP over TLS.
> 
> The server certificate has the following fields:
> 
> - CN: *.sipthor.net
> - SubjectAltNames:
>    - DNS:*.sipthor.net
>    - DNS:sipthor.net
> 
> But when using a sip2sip.info account, the client expects to connect
> to a TLS server that provides a certificate for the domain
> sip2sip.info or *.sip2sip.info in the CN or SubjectAltName fields.


> 
> This is not the case at all, so the TLS validation of the server's
> certificate fails.
> 
> 
> -- 
> Iñaki Baz Castillo
> <ibc at aliax.net>
> _______________________________________________
> SIPBeyondVoIP mailing list
> SIPBeyondVoIP at lists.ag-projects.com
> http://lists.ag-projects.com/mailman/listinfo/sipbeyondvoip

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ag-projects.com/pipermail/sipbeyondvoip/attachments/20140122/b6425700/attachment.pgp>


More information about the SIPBeyondVoIP mailing list