[asterisk-bugs] [JIRA] (ASTERISK-25409) Asterisk not reading entire TLSCERTFILE

Sam Ultima (JIRA) noreply at issues.asterisk.org
Fri Oct 2 12:09:33 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=227765#comment-227765 ] 

Sam Ultima commented on ASTERISK-25409:
---------------------------------------

How we wanted this to work was for each phone to have it's own generated certificate, assuring a single user's privacy and security. There is no official certificate of authority or configuration for each phone; is this required? could you provide a command example to generate CA?
 
To get back to your questions, This does work on a single phone and secures both signaling and RTP.  I realize this might require "substantial work" to have Asterisk support multiple certificate chains and feel this would be a huge security benefit, assuring that another malicious user/employee/customer can not utilize the "shared certificate" to exploit another phone. (this defeats the purpose of encryption)
 
Could you please submit this to your development team for consideration?

> Asterisk not reading entire TLSCERTFILE
> ---------------------------------------
>
>                 Key: ASTERISK-25409
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25409
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 13.5.0
>         Environment: SHMZ release 6.5 (Final), FreePBX 12.0.76.1, PBX Firmware: 6.12.65-30 , PBX Service Pack: 1.0.0.0, 4GB ram, dual processor cores.
>            Reporter: Sam Ultima
>            Assignee: Sam Ultima
>         Attachments: extensions_additional.conf, extensions.conf, full.txt, phonecertificates.txt, sip_additional.conf, sip.conf, sip_custom_post.conf, sip_general_additional.conf
>
>
> We have setup TLS+SRTP and thoroughly tested to verify successful operation using a single phone and security certificate.
> The problem starts when we added another phone then appended phone security certificate to the TLSCERT file. We have tried rearranging these without success. This file reads the first certificate at the top while others are ignored, causing phones to fail registration.
> logs & config files are attached.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list