Re: allow_wildcard_certs

[hw <hw@adminart.net>]

On Fri, 2025-10-10 at 12:21 +0200, didier gaumet wrote:
> Le 10/10/2025 à 10:47, hw a écrit :
> > Hi,
> > 
> > does the version of asterisk in Debian not have the option
> > 'allow_wildcard_certs'?
> > 
> > When I try to use it in a transport, asterisk says it can't retrieve the
> > transport.
> 
> Hello,
> 
> Unless you are talking about Debian Unstable (Sid), there is no more 
> Asterisk package in Debian, the last one was for Debian 11 Bullseye (1).
> In Sid Asterisk 22 is packaged, so since the feature you mentioned has 
> been introduced in Asterisk 20 (2), it should work in Sid, provided you 
> set it up as advised in (2).

Oh --- I thought it's Debian, but it's actually Fedoras version, sorry.

That would be 18.12.1 --- which probably should have the option as it
shows up in the documentation for version 16[a].  Maybe I'm doing it
wrong somehow in pjsip.conf?  The documentation never tells you where to
put what :(


[wildcards]
type=transport
protocol=tls
bind=[IPv4 address of server]
verify_server=yes
allow_wildcard_certs=yes                                               
ca_list_file=/etc/pki/tls/certs/ca-bundle.crt
cert_file=/etc/asterisk/cert/fullchain.pem
priv_key_file=/etc/asterisk/cert/privkey.pem
method=tlsv1_2


With allow_wildcard_certs, it can't retrieve the transport.

One of the VOIP providers is using a certificate that has a wildcard in
it and isn't even issued for the right server fqdn.  I told them they
need a new certificate, but perhaps I can get it to work (probably not
because it's for the wrong server anyway).


[a]:
https://docs.asterisk.org/Asterisk_16_Documentation/API_Documentation/Module_Configuration/res_pjsip/#endpoint-endpoint


> (1) 
> https://packages.debian.org/search?keywords=asterisk&searchon=names&exact=1&suite=all&section=all
> (2) 
> https://docs.asterisk.org/Asterisk_20_Documentation/Upgrading/#res_pjproject

-- 
Bislang noch nicht verboten: Einigkeit und Recht und Freiheit für das
deutsche Vaterland!