Misc #1751: added logging when TLS domain verification fails due to invalid use of wildcard. Thanks Alexander Traud for the patch

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4882 74dad513-b988-da41-8d7b-12977e46ad98

1 files changed, 7 insertions, 1 deletions

diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c
index aa486987..0878c3a2 100644
--- a/pjsip/src/pjsip/sip_transport_tls.c
+++ b/pjsip/src/pjsip/sip_transport_tls.c
@@ -1640,8 +1640,14 @@ static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
 	    matched = !pj_stricmp(remote_name, &serv_cert->subject.cn);
 	}
 
-	if (!matched)
+	if (!matched) {
+	    if (pj_strnicmp2(&serv_cert->subject.cn, "*.", 2) == 0) {
+		PJ_LOG(1,(tls->base.obj_name,
+		    "RFC 5922 (section 7.2) does not allow TLS wildcard "
+			"certificates. Advise your SIP provider, please!"));
+	    }
 	    ssl_info.verify_status |= PJ_SSL_CERT_EIDENTITY_NOT_MATCH;
+	}
     }
 
     /* Prevent immediate transport destroy as application may access it