[asterisk-dev] RFC - TLS certificate negotiation
Luigi Rizzo
rizzo at icir.org
Mon Nov 27 13:05:31 MST 2006
I am looking for feedback on the following issue.
Right now there is TLS support in asterisk only for HTTPS. But as
we add it to different services (e.g. manager, SIP, and so on) we
should decide whether we want to use a single certificate for all
services on the same server, or let each service define its own
certificate.
Personally i cannot see a reason for managing multiple certificates
- in the end the certificate only guarantees on the identity of the
server, and given that all modules in asterisk see all the memory,
we cannot limit the visibility of the private key to a single module
anyways.
This has an implication - the configuration of the certificate,
which is basically the single line
; sslcert=/tmp/foo.pem ; path to the certificate
should be moved to a more central place e.g. asterisk.conf, and its
processing (basically the function ssl_setup() in main/http.c and
associated variables) should also be moved to a more central place
(e.g. netsock.c) and especially, called early in the boot process.
Makes sense ?
cheers
luigi
More information about the asterisk-dev
mailing list