[asterisk-dev] RFC - TLS certificate negotiation
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Nov 28 09:29:42 MST 2006
Johansson Olle E wrote:
>
> 28 nov 2006 kl. 09.58 skrev Klaus Darilion:
>
>> Luigi Rizzo wrote:
>>> I am looking for feedback on the following issue.
>>> Right now there is TLS support in asterisk only for HTTPS. But as
>>> we add it to different services (e.g. manager, SIP, and so on) we
>>> should decide whether we want to use a single certificate for all
>>> services on the same server, or let each service define its own
>>> certificate.
>>
>> Each service should be allowed to have it's own certificate and
>> trusted CAs. E.g. in your enterprise you will use self signed
>> certificates for Asterisk and the SIP clients which register to the
>> Asterisk. But certificates signed by the PSTN termination provider for
>> SIP trunking. ...
>>
>> IMO it should be that flexible like the one in openser:
>> http://www.openser.org/docs/tls.html
>>
>> This even allows specifying the certificate during runtime for each call.
>>
>> @Olle: virtual domain hosting with TLS requires a dedicated socket for
>> each domain, unless you also implement the "server name" TLS extension.
>>
> I fully agree.
>
> Also remember my earlier note about initialization of certs and RSA keys
> - it needs to be one routine for all.
>
> CLI command "init keys" - I don't know where it is nowadays ... :-)
> Should possibly become "crypto initialize"
btw: openser collects TLS requirements for a new TLS implementation
inside openser. Maybe this will give you some ideas of the useful TLS
features for the SIP channel:
http://openser.org/dokuwiki/doku.php/development:tls-requirements
regards
klaus
--
Klaus Darilion
nic.at
More information about the asterisk-dev
mailing list