[asterisk-bugs] [JIRA] (ASTERISK-24815) [patch] Enable TLS Dual-Certificates (ECC+RSA)

Alexander Traud (JIRA) noreply at issues.asterisk.org
Sun May 10 11:06:32 CDT 2015 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Traud updated ASTERISK-24815:
---------------------------------------

    Attachment: tls_rsa_ecc_dsa.patch

> [patch] Enable TLS Dual-Certificates (ECC+RSA)
> ----------------------------------------------
>
>                 Key: ASTERISK-24815
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24815
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: SVN
>            Reporter: Alexander Traud
>            Severity: Minor
>         Attachments: tls_rsa_ecc_dsa.patch
>
>
> Already works for Asterisk as the client. Enables dual- (or triple-) certificates for Asterisk as the server. When a client connects via SSL/TLS, the server uses a RSA key-pair usually. However, more such algorithms exist like DSA and ECDSA. If you go for one of those, you would loose compatibility to RSA-only clients. This patch allows you to provide up-to one RSA, ECDSA and DSA key each. Copied over from the Apache HTTP server project, [added|http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile] in version 2.4.8.
> *Benefit*
> If some of your VoIP clients are not compatible with SHA-2 hashed certificates – for example [Nokia mobile phones|http://discussions.nokia.com/t5/Symbian-Devices/SHA2-support-on-Nikia-C5-E71-and-E72/m-p/2532624#M365219] – you can use RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else.
> *Usage*
> {{tlscertfile=/etc/asterisk/example_rsa.pem}}
> Then, the code of this patch picks that and searches for files called {{example_ecc.pem}} and {{example_dsa.pem}} automatically.
> Because OpenSSL prefers RSA over ECDSA, see
> {{openssl ciphers -v [DEFAULT|http://www.openssl.org/docs/apps/ciphers.html]}}
> consider re-ordering your cipher suites in sip.conf, for example:
> {{tlscipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AES128-SHA:RC4-SHA:-ECCdraft:-COMPLEMENTOFDEFAULT}}
> to use ECDSA (and PFS) when offered by the client.
> If you use well-known (commercial) certificates, you might use different certificate chains. For this, support [was added|https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943] in OpenSSL 1.0.2. Previously, only the chain of the first certificate was delivered. To compile Asterisk together with that OpenSSL version, for example in Debian:{noformat}sudo apt-get -y build-dep openssl
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a-1.debian.tar.xz
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a.orig.tar.gz
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a-1.dsc
> wget github.com/PeterMosmans/openssl/archive/1.0.2-chacha.zip
> unzip -qq 1.0.2*chacha.zip
> cd openssl-1.0.2*chacha
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a-1.debian.tar.xz
> tar xf openssl_1.0.2*
> mkdir include/openssl
> cp crypto/idea/idea.h include/openssl/
> cp crypto/mdc2/mdc2.h include/openssl/
> wget www.traud.de/voip/sip/patches/openssl/debian-targets.patch
> mv debian-targets.patch debian/patches/
> wget www.traud.de/voip/sip/patches/openssl/engines-path.patch
> mv engines-path.patch debian/patches/
> wget www.traud.de/voip/sip/patches/openssl/openssl-pod-misspell.patch
> mv openssl-pod-misspell.patch debian/patches/
> wget www.traud.de/voip/sip/patches/openssl/version-script.patch
> mv version-script.patch debian/patches/
> dpkg-buildpackage -us -uc -nc
> cd /usr/src/asterisk*
> sudo service asterisk stop
> sudo make distclean
> LDFLAGS='-Wl,-rpath /usr/src/openssl-1.0.2-chacha' ./configure --with-ssl='/usr/src/openssl-1.0.2-chacha'
> make
> sudo make install{noformat}This patch was tested in Ubuntu 14.04 LTS with a certificate from [Comodo|https://www.gogetssl.com/domain-validation/comodo-positive-ssl/] (ECC; chains-up to AddTrust and UTN) and [RapidSSL|https://www.gogetssl.com/domain-validation/rapidssl-standard/] (RSA; chains-up to GeoTrust and Equifax). TLS clients were [CounterPath Bria|http://appworld.blackberry.com/webstore/content/28329074/] (BlackBerry) and [CSipSimple|https://play.google.com/store/apps/details?id=com.csipsimple] (Android).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list