From 10511d890b8769ad4a7fdbddecfb7bfb605d03cb Mon Sep 17 00:00:00 2001
From: Benny Prijono <bennylp@teluu.com>
Date: Fri, 25 Jul 2014 07:27:37 +0000
Subject: Misc #1751: added logging when TLS domain verification fails due to
 invalid use of wildcard. Thanks Alexander Traud for the patch

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4882 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjsip/src/pjsip/sip_transport_tls.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c
index aa486987..0878c3a2 100644
--- a/pjsip/src/pjsip/sip_transport_tls.c
+++ b/pjsip/src/pjsip/sip_transport_tls.c
@@ -1640,8 +1640,14 @@ static pj_bool_t on_connect_complete(pj_ssl_sock_t *ssock,
 	    matched = !pj_stricmp(remote_name, &serv_cert->subject.cn);
 	}
 
-	if (!matched)
+	if (!matched) {
+	    if (pj_strnicmp2(&serv_cert->subject.cn, "*.", 2) == 0) {
+		PJ_LOG(1,(tls->base.obj_name,
+		    "RFC 5922 (section 7.2) does not allow TLS wildcard "
+			"certificates. Advise your SIP provider, please!"));
+	    }
 	    ssl_info.verify_status |= PJ_SSL_CERT_EIDENTITY_NOT_MATCH;
+	}
     }
 
     /* Prevent immediate transport destroy as application may access it 
-- 
cgit v1.2.3