[Asterisk-code-review] tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA)... (asterisk[master])

Ashley Sanders asteriskteam at digium.com
Wed May 13 21:09:09 CDT 2015 

Ashley Sanders has posted comments on this change.

Change subject: tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
......................................................................


Patch Set 4: Code-Review-1

(4 comments)

https://gerrit.asterisk.org/#/c/431/4//COMMIT_MSG
Commit Message:

Line 9: When a client connects via SSL/TLS, the server uses a RSA key-pair usually.
For better clarity, I suggest modifying this slightly:

When a client connects to a server via SSL/TLS, the server most commonly utilizes
an RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and
if the server socket is configured with a certificate for either one of those, it
would lose its compatibility with RSA-only clients. 

Now, the server socket can be configured with up to one RSA, ECDSA and DSA key
each. For example, if a client is not compatible with SHA-2 hashed certificates
like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy
clients and ECDSA/SHA-2 for everyone else.


https://gerrit.asterisk.org/#/c/431/4/configs/samples/pjsip.conf.sample
File configs/samples/pjsip.conf.sample:

Line 768:                 ; a .key file must be specified via priv_key_file. Since
For readability, the "Since PJProject 2.5 ..." should start on line 769.

Also, the term "looked-up" sounds very awkward. I suggest changing this to "fetched" (or "retrieved" or "located", etc.).


https://gerrit.asterisk.org/#/c/431/4/configs/samples/sip.conf.sample
File configs/samples/sip.conf.sample:

Line 566:                                         ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are looked-up
Just like in the pjsip.conf.sample file:

The term "looked-up" sounds very awkward. I suggest changing this to "fetched" (or "retrieved" or "located", etc.).


https://gerrit.asterisk.org/#/c/431/4/main/tcptls.c
File main/tcptls.c:

Line 761: 		if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cert_file) == 0) {
        : 			ast_log(LOG_ERROR, "TLS/SSL error loading %s cert file. <%s>\n", key_type, cert_file);
        : 		} else if (SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cert_file, SSL_FILETYPE_PEM) == 0) {
        : 			ast_log(LOG_ERROR, "TLS/SSL error loading %s cert file. <%s>\n", key_type, cert_file);
        : 		} else if (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0) {
        : 			ast_log(LOG_ERROR, "TLS/SSL error loading %s cert file. <%s>\n", key_type, cert_file);
        : 		}
> This could be coded as:
I agree with Richard. It is best to avoid code duplication whenever possible. See:
- http://en.wikipedia.org/wiki/Abstraction_principle_%28computer_programming%29
- http://en.wikipedia.org/wiki/Don%27t_repeat_yourself


-- 
To view, visit https://gerrit.asterisk.org/431
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
Gerrit-PatchSet: 4
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Ashley Sanders <asanders at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
Gerrit-HasComments: Yes

More information about the asterisk-code-review mailing list