[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?
Joshua C. Colp
jcolp at digium.com
Sun Jul 7 10:40:04 CDT 2019
On Sun, Jul 7, 2019, at 11:17 AM, hw wrote:
> Thanks, setting 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' seems to do
> the trick. However:
> First I set 'tlsdontverifyserver=no' and issued a 'sip reload'. There
> was no error message. I found that suspicious and restarted asterisk,
> and the error message came back.
> Only then I added 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' (which
> was unset before), and after a 'sip reload', the error message was gone.
> So far, it hasn't come back even when restarting asterisk.
> This shows that 'sip reload' doesn't really do a reload in that a
> certificate which hasn't been verified continues to be accepted after
> the configuration changed to now require verifying the certificate. This
> might be a security problem, and if not, it is certainly good for
> surprises and can create much confusion.
> Is it supposed to be like this, or should I make a bug report?
Support for this probably wasn't fully done to support such behavior. You could file a bug report but support for chan_sip is provided by the community and there is no time frame on when (or if) such a thing would be looked into so keep that in mind.
Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-users