[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?

[Joshua C. Colp]

On Sun, Jul 7, 2019, at 11:17 AM, hw wrote:

<snip>

> 
> Thanks, setting 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' seems to do 
> the trick.  However:
> 
> First I set 'tlsdontverifyserver=no' and issued a 'sip reload'.  There 
> was no error message.  I found that suspicious and restarted asterisk, 
> and the error message came back.
> 
> Only then I added 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' (which 
> was unset before), and after a 'sip reload', the error message was gone.
> So far, it hasn't come back even when restarting asterisk.
> 
> This shows that 'sip reload' doesn't really do a reload in that a 
> certificate which hasn't been verified continues to be accepted after 
> the configuration changed to now require verifying the certificate. This 
> might be a security problem, and if not, it is certainly good for 
> surprises and can create much confusion.
> 
> Is it supposed to be like this, or should I make a bug report?

Support for this probably wasn't fully done to support such behavior. You could file a bug report but support for chan_sip is provided by the community and there is no time frame on when (or if) such a thing would be looked into so keep that in mind.

-- 
Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org