forked from Mirrors/freeswitch
1d726c1d91
The correct incantations to enable certification common name / subject alternative name verification, per our code, are `subjects_all`, `subjects_in`, and `subjects_out` in a Sofia profile's `tls-verify-policy`. What we've had in our examples and documentation for years are `all_subjects`, `in_subjects`, and `out_subjects`. The result of this is that we've almost certainly confused people into using the incorrect forms. Those poor people will believe that they are verifying the CN/SAN of the received host certificate against the list in `tls-verify-in-subjects` when in fact they are not. One clear issue in this case was that the incorrect forms failed to have any effect without providing any warning or error. This issue could not have persisted if we had made more noise about incorrect input. Given how long this has been broken, it's tempting to alias the incorrect forms to the correct ones. However this would certainly break many existing installations that have, because of this error, never actually tested their setup with CN/SAN validation enabled. In this commit, we fix the examples and documentation, and add an error-level log output when unknown values are passed to `tls-verify-policy`. Thanks-to: Andrew Patrikalakis <anrp+freeswitch@anrp.net> |
||
---|---|---|
.. | ||
autoload_configs | ||
dialplan | ||
directory | ||
lang | ||
sip_profiles | ||
cacert.pem | ||
freeswitch.xml | ||
mime.types | ||
vars.xml |