Child pages
  • check_fqdn_against_server_cert


Contents

D-SERIES

Web User Interface

N/A

Phone User Interface

N/A

This setting can be changed via provisioning or HTTP requests

Initial Firmware Version

Start: 8.8.3.26

XML Configuration

<check_fqdn_against_server_cert perm="PERMISSIONFLAGS">VALIDVALUE</check_fqdn_against_server_cert>

Description

When on, the phone checks whether the FQDN of the server it is trying to connect to via TLS appears either as CN in the subject field or is listed in the IP/DNS fields of the Subject Alternative Names(SAN) extension of the certificate presented by the server. If the name/IP is not found, the certificate is rejected.

IP addresses
If the server has been entered in the phone settings as an IP address, this check will only accept the connection if the IP address is present in the IP field of the SAN. The certificate Common Name and DNS fields of the SAN will in this case be ignored.


Names
The FQDN of the server it is trying to connect to is the server name that the A record resolution is done on. This means that if the server resolves with SRV+NAPTR in several hosts, then the phone will choose one host and try to connect to it via TLS. This will be the host that the phone will then try to compare with the CN or SANs from the certificate presented by the server.
The host name validation can be controlled with the setting host_name_validation_flags

Note for version 8.x: This setting has no effect if TLS Server Authentication is turned off.

Valid Values

on, off

Default Value

UC Edition and Version 10.x
on
Non-UC Edition and Version 8.x
off