[asterisk-dev] res_calendar and self signed certs

--[ UxBoD ]-- uxbod at splatnix.net
Wed Jan 19 05:00:44 CST 2011


----- Original Message -----
> On Mon, Jan 17, 2011 at 1:23 PM, --[ UxBoD ]-- <uxbod at splatnix.net>
> wrote:
> > Hello all,
> >
> > I have an idea for a potential feature request and looking for
> > guidance on how it could be implemented.
> >
> > This was tested using Asterisk 1.8.2 with res_calendar pointing at a
> > Zimbra server.
> >
> > When a HTTPS URL points to a server with a self signed cert one
> > receives the following error message:
> >
> > [Jan 17 09:23:35] WARNING[27663]: res_calendar_icalendar.c:146
> > fetch_icalendar: Unable to retrieve iCalendar 'testcal' from
> > 'https://office.test.net/home/teamshare@test.net/Calendar/': Server
> > certificate verification failed: issuer is not trusted
> >
> > I believe that if an additional option was added to calendar.conf
> > eg:
> >
> > [testcal]
> > type = ical
> > url = ; URL to shared calendar (Zimbra example)
> > user = ; web username
> > secret = ; web password
> > cert = ; path to cert CA
> >
> > the CA could then be loaded using:
> >
> > void ne_ssl_trust_cert (ne_session *session, const
> > ne_ssl_certificate
> > *cert);
> >
> > as in example code from
> > http://linux.die.net/man/3/ne_ssl_trust_default_ca
> >
> > I believe it is a trivial change and I would be willing to have a
> > code at making the changes and testing with some help.
> >
> > Thoughts ?
> 
> 
> Stupid idea to add to you context. With the expansion of the TLS /
> SSL adpotion, is there a need for a TLS / SSL configuraion with
> context? eg... do we need a tls.conf with contexts so that ITSP
> level SIP calls can have many self signed certs? I can see the need
> for many configurations to need many certs and even overlap.
> 
> ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~

Sorry for such a stupid idea! Perhaps if there was a way for self signed certs to be accepted out of the box then I would not have had to have posted.

Internally we run our own CA so all our systems; including Asterisk are running with self signed certs. Having a central configuration would be an excellent idea; though in the meantime will see if I can patch this code.
-- 
Thanks, Phil



More information about the asterisk-dev mailing list