[asterisk-bugs] [JIRA] (ASTERISK-24815) [patch] Enable TLS Dual-Certificates (ECC+RSA)

Rusty Newton (JIRA) noreply at issues.asterisk.org
Fri Feb 20 17:03:36 CST 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225029#comment-225029 ] 

Rusty Newton commented on ASTERISK-24815:
-----------------------------------------

Thanks for the contribution! If you'd like your contribution to be included faster, you should submit your patch for code review by the Asterisk Developer Community. To do so, please follow the Code Review [1] instructions on the wiki. Be sure to:
* Verify that your patch conforms to the Coding Guidelines [2]
* Review the Code Review Checklist [3] for common items reviewers will look for
* If necessary, provide tests for the Asterisk Test Suite that verify the correctness of your patch [4]
* As this is a new feature, please read the New Feature Guidelines [5]
* Make sure your new feature applies cleanly to Asterisk trunk

When ready, submit your patch and any tests to Review Board [6] for code review.

Thanks!

[1] https://wiki.asterisk.org/wiki/display/AST/Code+Review
[2] https://wiki.asterisk.org/wiki/display/AST/Coding+Guidelines
[3] https://wiki.asterisk.org/wiki/display/AST/Code+Review+Checklist
[4] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Test+Suite+Documentation
[5] https://wiki.asterisk.org/wiki/display/AST/New+Feature+Guidelines
[6] https://wiki.asterisk.org/wiki/display/AST/Review+Board+Usage



> [patch] Enable TLS Dual-Certificates (ECC+RSA)
> ----------------------------------------------
>
>                 Key: ASTERISK-24815
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24815
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: SVN
>            Reporter: Alexander Traud
>            Severity: Minor
>         Attachments: tls_rsa_ecc_dsa.patch
>
>
> Already works for Asterisk as the client. Enables dual- (or triple-) certificates for Asterisk as the server. When a client connects via SSL/TLS, the server uses a RSA key-pair usually. However, more such algorithms exist like DSA and ECDSA. If you go for one of those, you would loose compatibility to RSA-only clients. This patch allows you to provide up-to one RSA, ECDSA and DSA key each. Copied over from the Apache HTTP server project, [added|http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile] in version 2.4.8.
> *Benefit*
> If some of your VoIP clients are not compatible with SHA-2 hashed certificates – for example [Nokia mobile phones|http://discussions.nokia.com/t5/Symbian-Devices/SHA2-support-on-Nikia-C5-E71-and-E72/m-p/2532624#M365219] – you can use RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else.
> *Usage*
> {{tlscertfile=/etc/asterisk/example_rsa.pem}}
> Then, the code of this patch picks that and searches for files called {{example_ecc.pem}} and {{example_dsa.pem}} automatically.
> Because OpenSSL prefers RSA over ECDSA, see
> {{openssl ciphers -v [DEFAULT|http://www.openssl.org/docs/apps/ciphers.html]}}
> consider re-ordering your cipher suites in sip.conf, for example:
> {{tlscipher=AES128+kEECDH:CHACHA20+kEECDH:AES128+kEDH:3DES+kEDH:+aRSA:+aDSS:AES128-SHA:DES-CBC3-SHA:RC4-SHA:-ADH:-AECDH}}
> to use ECDSA (and PFS) when offered by the client.
> If you use well-known (commercial) certificates, you might use different certificate chains. For this, support [was added|https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943] in OpenSSL 1.0.2. Previously, only the chain of the first certificate was delivered. To compile Asterisk together with that OpenSSL version, for example in Debian:{noformat}sudo apt-get build-dep openssl
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2-1.debian.tar.xz
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2.orig.tar.gz
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2-1.dsc
> wget github.com/PeterMosmans/openssl/archive/1.0.2-chacha.zip
> unzip -qq 1.0.2*chacha.zip
> cd openssl-1.0.2*chacha
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2-1.debian.tar.xz
> tar xf openssl_1.0.2*
> mkdir include/openssl
> cp crypto/idea/idea.h include/openssl/
> cp crypto/mdc2/mdc2.h include/openssl/
> wget www.traud.de/voip/sip/patches/openssl/enable-ssl3-method.patch
> patch -p0 <./enable-ssl3-method.patch
> wget www.traud.de/voip/sip/patches/openssl/engines-path.patch
> mv engines-path.patch debian/patches/
> wget www.traud.de/voip/sip/patches/openssl/version-script.patch
> mv version-script.patch debian/patches/
> dpkg-buildpackage -us -uc -nc
> cd /usr/src/asterisk*
> sudo service asterisk stop
> sudo make distclean
> ./configure --with-ssl='/usr/src/openssl-1.0.2-chacha'
> sudo make install CC='gcc -Wl,-rpath /usr/src/openssl-1.0.2-chacha'{noformat}This patch was tested in Ubuntu 14.04 LTS with a certificate from [Comodo|https://www.gogetssl.com/domain-validation/comodo-positive-ssl/] (ECC; chains-up to AddTrust and UTN) and [RapidSSL|https://www.gogetssl.com/domain-validation/rapidssl-standard/] (RSA; chains-up to GeoTrust and Equifax). TLS clients were [CounterPath Bria|http://appworld.blackberry.com/webstore/content/28329074/] (BlackBerry) and [CSipSimple|https://play.google.com/store/apps/details?id=com.csipsimple] (Android).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list