[asterisk-bugs] [Asterisk 0017736]: Only one certificate, multiple domains

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Apr 20 01:03:47 CDT 2011 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17736 
====================================================================== 
Reported By:                oej
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17736
Category:                   Channels/chan_sip/TCP-TLS
Reproducibility:            have not tried
Severity:                   minor
Priority:                   normal
Status:                     acknowledged
Asterisk Version:           1.8.0-beta2 
JIRA:                       SWP-1968 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-07-28 09:32 CDT
Last Modified:              2011-04-20 01:03 CDT
====================================================================== 
Summary:                    Only one certificate, multiple domains
Description: 
Asterisk has since a long time supported hosting of multiple SIP domains.
The TLS implementation only supports ONE certificate, meaning that we only
support TLS for ONE domain without using subject alt names, something that
is not widely implemented.

I consider this a bug in the TLS implementation. New features should
follow the existing design, not break it. For 1.8 we need to be able to
have one certificate (and one TLS socket) for each domain.
====================================================================== 

---------------------------------------------------------------------- 
 (0133974) oej (manager) - 2011-04-20 01:03
 https://issues.asterisk.org/view.php?id=17736#c133974 
---------------------------------------------------------------------- 
It doesn't say we should NOT use common name, but that we should prefer SAN
URI's, then SAN domains (only if we need multiple domains).

Good thing to hear that implementations are finally coming, I've been
running tutorials about this at SIPits for years... :-)

It's impossible to buy certs with SAN SIP uri's today. It is possible, but
very expensive to get those with SAN domains. It's cheap to get certs with
CNs. So we need to support having multiple TCP ports open with separate
certs. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-04-20 01:03 oej            Note Added: 0133974                          
======================================================================

More information about the asterisk-bugs mailing list