[asterisk-bugs] [JIRA] (ASTERISK-17727) [patch] TLS doesn't get all certificate chain

Guillaume Martres (JIRA) noreply at issues.asterisk.org
Tue Jan 21 16:51:04 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-17727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=214281#comment-214281 ] 

Guillaume Martres commented on ASTERISK-17727:
----------------------------------------------

While discussing this on IRC, concerns were raised concerning support of DER files since SSL_CTX_use_certificate_chain_file do not support them, but Asterisk currently pass SSL_FILETYPE_PEM to SSL_CTX_use_certificate_file so this doesn't actually break anything.
It's even recommended by the OpenSSL documentation: "SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage. " https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
                
> [patch] TLS doesn't get all certificate chain
> ---------------------------------------------
>
>                 Key: ASTERISK-17727
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-17727
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 1.8.1
>            Reporter: LN
>            Severity: Minor
>         Attachments: use_certificate_chain.patch
>
>
> Dear All, dear Digium,
> I use TLS on asterisk 1.8.1 with a cert file of trustwave.com CA root.
> I expected to load the certificate chain in the "tlscafile" (define in sip.conf) and the certificate released from the CA root in the "tlscertfile" (define in sip.conf).
> I see that the certificate chain is composed with the intermediate certificate of TrustWave CA (SecureTrust) and the root certificate of Entrust CA.
> So I copy the intermediate certificate of TrustWave CA in the tlscafile and append to that the root certificate of Entrust CA.
> Instead, I copy the certificate released form the CA in the tlscertfile.
> But after that, seems that asterisk read only the first certificate of the chain in the file tlscafile and doesn't read both certificate (intermediate cert of TrustWave and root cert of Entrust). So the general chain of the certificate (CA, intermediate cert and root cert) results UNTRUSTED.
> I think that this a bug.
> tlscafile 
> tlscertfile

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list