[asterisk-dev] RFC - TLS certificate negotiation

Klaus Darilion klaus.mailinglists at pernau.at
Tue Nov 28 01:58:43 MST 2006


Luigi Rizzo wrote:
> I am looking for feedback on the following issue.
> 
> Right now there is TLS support in asterisk only for HTTPS.  But as
> we add it to different services (e.g. manager, SIP, and so on) we
> should decide whether we want to use a single certificate for all
> services on the same server, or let each service define its own
> certificate.

Each service should be allowed to have it's own certificate and trusted 
CAs. E.g. in your enterprise you will use self signed certificates for 
Asterisk and the SIP clients which register to the Asterisk. But 
certificates signed by the PSTN termination provider for SIP trunking. ...

IMO it should be that flexible like the one in openser:
http://www.openser.org/docs/tls.html

This even allows specifying the certificate during runtime for each call.

@Olle: virtual domain hosting with TLS requires a dedicated socket for 
each domain, unless you also implement the "server name" TLS extension.

regards
klaus

> 
> Personally i cannot see a reason for managing multiple certificates
> - in the end the certificate only guarantees on the identity of the
> server, and given that all modules in asterisk see all the memory,
> we cannot limit the visibility of the private key to a single module
> anyways.
> 
> This has an implication - the configuration of the certificate,
> which is basically the single line
> 
> 	; sslcert=/tmp/foo.pem  ; path to the certificate
> 
> should be moved to a more central place e.g. asterisk.conf, and its
> processing (basically the function ssl_setup() in main/http.c and
> associated variables) should also be moved to a more central place
> (e.g. netsock.c) and especially, called early in the boot process.
> 
> Makes sense ?
> 
> cheers
> luigi
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev


-- 
Klaus Darilion
nic.at



More information about the asterisk-dev mailing list