[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?
Michael Maier
m1278468 at mailbox.org
Sat Jul 6 12:23:55 CDT 2019
On 06.07.19 at 12:16 hwilmer wrote:
> On 7/6/19 10:40 AM, Michael Maier wrote:
>> On 05.07.19 at 22:02 hw wrote:
>>>
>>> openssl verify -CAfile ca.pem asterisk.pem
>>> asterisk.pem: OK
>>>
>>>
>>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
>>> to the SIP provider and there is no error message). Otherwise I'm
>>> getting the error message and asterisk does not register.
>>>
>>> Reading the comments in sip.conf.sample, I would assume that asterisk
>>> can not verify the certificate of the SIP provider. Yet
>>>
>>>
>>> openssl s_client -connect secure.sip.easybell.de:5061
I'm using easybell via tls, too - but with pjsip - I had never any problem.
>>
>> You know that you don't need an own certificate to connect via tls to the ISP?
>
> No, I didn't know that. However, there are local clients connecting to asterisk
> using encryption, so I suppose my own certificate is required.
That's true - but why do you need encryption on your own LAN? Just for fun or are there any particular requirements?
>> To be able to verify the certificate of the ISP, asterisk has to know the local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt.
>
> How did you know I'm doing this on Centos? :)
This was just meant as an example - chance :-)
> Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to
I'm sorry - I don't know how to handle ca bundles with chan_sip. With pjsip it's
ca_list_file=/etc/pki/tls/certs/ca-bundle.crt
in pjsip.transports.conf.
Michael
More information about the asterisk-users
mailing list