[asterisk-dev] RFC - TLS certificate negotiation
Johansson Olle E
olle at voop.com
Tue Nov 28 06:22:33 MST 2006
28 nov 2006 kl. 09.58 skrev Klaus Darilion:
> Luigi Rizzo wrote:
>> I am looking for feedback on the following issue.
>> Right now there is TLS support in asterisk only for HTTPS. But as
>> we add it to different services (e.g. manager, SIP, and so on) we
>> should decide whether we want to use a single certificate for all
>> services on the same server, or let each service define its own
>> certificate.
>
> Each service should be allowed to have it's own certificate and
> trusted CAs. E.g. in your enterprise you will use self signed
> certificates for Asterisk and the SIP clients which register to the
> Asterisk. But certificates signed by the PSTN termination provider
> for SIP trunking. ...
>
> IMO it should be that flexible like the one in openser:
> http://www.openser.org/docs/tls.html
>
> This even allows specifying the certificate during runtime for each
> call.
>
> @Olle: virtual domain hosting with TLS requires a dedicated socket
> for each domain, unless you also implement the "server name" TLS
> extension.
>
I fully agree.
Also remember my earlier note about initialization of certs and RSA
keys - it needs to be one routine for all.
CLI command "init keys" - I don't know where it is nowadays ... :-)
Should possibly become "crypto initialize"
/O
More information about the asterisk-dev
mailing list