[asterisk-bugs] [Asterisk 0017736]: Only one certificate, multiple domains

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Apr 19 12:36:59 CDT 2011 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17736 
====================================================================== 
Reported By:                oej
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17736
Category:                   Channels/chan_sip/TCP-TLS
Reproducibility:            have not tried
Severity:                   minor
Priority:                   normal
Status:                     acknowledged
Asterisk Version:           1.8.0-beta2 
JIRA:                       SWP-1968 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-07-28 09:32 CDT
Last Modified:              2011-04-19 12:36 CDT
====================================================================== 
Summary:                    Only one certificate, multiple domains
Description: 
Asterisk has since a long time supported hosting of multiple SIP domains.
The TLS implementation only supports ONE certificate, meaning that we only
support TLS for ONE domain without using subject alt names, something that
is not widely implemented.

I consider this a bug in the TLS implementation. New features should
follow the existing design, not break it. For 1.8 we need to be able to
have one certificate (and one TLS socket) for each domain.
====================================================================== 

---------------------------------------------------------------------- 
 (0133961) twilson (administrator) - 2011-04-19 12:36
 https://issues.asterisk.org/view.php?id=17736#c133961 
---------------------------------------------------------------------- 
According to https://datatracker.ietf.org/doc/rfc5922/ certificates for SIP
devices should be using SubjectAltNames and not Common Name. I'm working on
a patch to add SubjectAltName support to Asterisk's TCP/TLS stuff. At SIPit
28, it seemed that a lot of people were using the SubjectAltNames in their
implementations (because Asterisk was failing when other implementations
were not).

It seems hacky to have to have lots of different certificates for a single
server, but I can see how it would be useful for dealing with legacy
equipment. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-04-19 12:36 twilson        Note Added: 0133961                          
======================================================================

More information about the asterisk-bugs mailing list