[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?

Sun Jul 7 09:16:20 CDT 2019

On 7/6/19 7:23 PM, Michael Maier wrote:
> On 06.07.19 at 12:16 hwilmer wrote:
>> On 7/6/19 10:40 AM, Michael Maier wrote:
>>> On 05.07.19 at 22:02 hw wrote:
>>>>
>>>> openssl verify -CAfile ca.pem asterisk.pem
>>>> asterisk.pem: OK
>>>>
>>>>
>>>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
>>>> to the SIP provider and there is no error message).  Otherwise I'm
>>>> getting the error message and asterisk does not register.
>>>>
>>>> Reading the comments in sip.conf.sample, I would assume that asterisk
>>>> can not verify the certificate of the SIP provider.  Yet
>>>>
>>>>
>>>> openssl s_client -connect secure.sip.easybell.de:5061
> 
> I'm using easybell via tls, too - but with pjsip - I had never any problem.

Yes, easybell works fine, and their support is great.  But don't tell 
anyone or they might be overwhelmed with customers fleeing the bad
support of other providers ...

Is there an advantage to using pjsip?  What's needed for easybell with 
pjsip?

>>> You know that you don't need an own certificate to connect via tls to the ISP?
>>
>> No, I didn't know that.  However, there are local clients connecting to asterisk
>> using encryption, so I suppose my own certificate is required.
> 
> That's true - but why do you need encryption on your own LAN? Just for fun or are there any particular requirements?

I consider it a requirement for when employees end up using their mobile 
phones over foreign wireless networks, which is something that would be 
virtually impossible to prevent should the asterisk server be made 
reachable from the outside.

And before that, why shouldn't phone calls always be encrypted for just 
in case?  They are always genuinely private, and it doesn't hurt anything.

>> Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to
> 
> I'm sorry - I don't know how to handle ca bundles with chan_sip. With pjsip it's
> 
> ca_list_file=/etc/pki/tls/certs/ca-bundle.crt >
> in pjsip.transports.conf.

Thanks, setting 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' seems to do 
the trick.  However:

First I set 'tlsdontverifyserver=no' and issued a 'sip reload'.  There 
was no error message.  I found that suspicious and restarted asterisk, 
and the error message came back.

Only then I added 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' (which 
was unset before), and after a 'sip reload', the error message was gone.
So far, it hasn't come back even when restarting asterisk.

This shows that 'sip reload' doesn't really do a reload in that a 
certificate which hasn't been verified continues to be accepted after 
the configuration changed to now require verifying the certificate. This 
might be a security problem, and if not, it is certainly good for 
surprises and can create much confusion.

Is it supposed to be like this, or should I make a bug report?