Content

Page tree

D-SERIES

Web User Interface

N/A

Phone User Interface

N/A

This setting can be changed via provisioning or HTTP requests

Initial Firmware Version

Start: 8.8.3.26

XML Configuration

<check_fqdn_against_server_cert perm="PERMISSIONFLAGS">VALIDVALUE</check_fqdn_against_server_cert>

Description

When on, the phone checks whether the FQDN of the server it is trying to connect to via TLS appears either as CN in the subject field or is listed in the IP/DNS fields of the Subject Alternative Names(SAN) extension of the certificate presented by the server. If the name/IP is not found, the certificate is rejected.

If the server has been entered in the phone settings as an IP address, this check will only accept the connection if the IP address is present in the IP field of the SAN. The certificate Common Name and DNS fields of the SAN will in this case be ignored.

Note for SIP over TLS with SRV+NAPTR:

  • for versions >=10.1.63.0 the FQDN of the server it is trying to connect to is the Outbound Proxy, if configured. If no Outbound Proxy is configured, the Registrar is used. Also see RFC 5922, Section 4
  • the behavior for versions < 10.1.63.0 was not fully compliant to RFC 5922. For correct functionality, it is recommended to upgrade to the latest available firmware version

The host name validation can be controlled with the setting host_name_validation_flags

Note for version 8.x: This setting has no effect if TLS Server Authentication is turned off.

Valid Values

on, off

Default Value

UC Edition and Version 10.x: on
Non-UC Edition and Version 8.x: off