[asterisk-bugs] [JIRA] (ASTERISK-19268) Need to specify TLS peer verification policy per-peer

Tzafrir Cohen (JIRA) noreply at issues.asterisk.org
Mon Dec 25 08:25:41 CST 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-19268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=241139#comment-241139 ] 

Tzafrir Cohen commented on ASTERISK-19268:
------------------------------------------

Doing some hose-keeping and this issue is referred by an old Debian bug. I believe that this issue is at least mostly fixed by chan_pjsip, as there is a per-endpoint configuration of verification.

> Need to specify TLS peer verification policy per-peer
> -----------------------------------------------------
>
>                 Key: ASTERISK-19268
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-19268
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 1.8.9.0
>         Environment: all
>            Reporter: Daniel Pocock
>
> For inter-domain routing of SIP messages, it is recommended that each proxy/PBX does full TLS verification
> Here is the RFC on the subject, it provides very useful background about this bug:
> http://tools.ietf.org/html/rfc5922
> Example: Asterisk receives a SIP connection from Kamailio:
> - Asterisk should demand a client certificate from Kamailio
> - Kamailio will present it's server certificate as a client certificate
> - Asterisk should verify that the cert is signed by a trusted CA
> - Asterisk should perform verification of the CN and/or subjectAltName/dNSName entries against each message that comes in
> However, the same Asterisk server, when receiving a TLS connection from a trusted peer (authentication by shared secret) does not need to demand a certificate - in this case, certificate exchange is unidirection (just like the typical scenario where you connect to a HTTPS web server)
> To facilitate this, Asterisk probably needs a new parameter:
> tls_verify_client=yes|no
> that can be specified in the [general] section and the individual [peer] sections of sip.conf, e.g.
> {code}
> [general]
> # demand a client certificate/two way certificate exchange from unknown peers
> tls_verify_client=yes
> [8001]
> # user connects with TLS, but with no client cert
> transport=tls
> tls_verify_client=no
> # he uses a password
> secret=daniel
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list