asterisk -- TLS Certificate Common name NULL byte exploit

2015-04-04T00:00:00
ID 5FEE3F02-DE37-11E4-B7C3-001999F8D30B
Type freebsd
Reporter FreeBSD
Modified 2015-04-04T00:00:00

Description

The Asterisk project reports:

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com