> On Feb. 24, 2015, 5:20 p.m., rmudgett wrote: > > trunk/main/tcptls.c, line 836 > > <https://reviewboard.asterisk.org/r/4441/diff/1/?file=71569#file71569line836> > > > > It doesn't look like there is a standard cert file naming convention to > > name the files example_rsa.pem, example_ecc.pem, and example_dsa.pem. The > > patch assumes this naming convention. The patch should verify that > > cfg->certfile name is in this format before trying. i.e. Check that > > cfg->certfile ends with "_rsa.pem". > > > > This should be documented in the sample config files (pjsip.conf.sample > > and sip.conf.sample at least). For pjsip the online documentation should > > be updated in res_pjsip.c.
Fixed. However, this feature is supported in chan_sip only and not supported in pjsip. Therefore, no update to pjsip.conf.sample and res_pjsip.c, yet. - Alexander ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4441/#review14529 ----------------------------------------------------------- On March 30, 2015, 8:34 a.m., Alexander Traud wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviewboard.asterisk.org/r/4441/ > ----------------------------------------------------------- > > (Updated March 30, 2015, 8:34 a.m.) > > > Review request for Asterisk Developers. > > > Bugs: ASTERISK-24815 > https://issues.asterisk.org/jira/browse/ASTERISK-24815 > > > Repository: Asterisk > > > Description > ------- > > Already works for Asterisk as the client. Enables dual- (or triple-) > certificates for Asterisk as the TLS server. When a client connects via > SSL/TLS, the server uses a RSA key-pair usually. However, more such > algorithms exist like DSA and ECDSA. If you go for one of those, you would > loose compatibility to RSA-only clients. This patch allows you to provide > up-to one RSA, ECDSA and DSA key each (= one key or two keys or three keys). > Copied over from the Apache HTTP server project, added in version 2.4.8. > > Usage: > tlscertfile=/etc/asterisk/example_rsa.pem > Then, the code of this patch picks that path, filename, and searches for > files called example_ecc.pem and example_dsa.pem automatically. > > > Diffs > ----- > > trunk/main/tcptls.c 431938 > trunk/configs/samples/sip.conf.sample 428526 > > Diff: https://reviewboard.asterisk.org/r/4441/diff/ > > > Testing > ------- > > by developer, manually > > This patch was tested in Ubuntu 14.04 LTS with a certificate from Comodo > (ECC; chains-up to AddTrust and UTN) and RapidSSL (RSA; chains-up to GeoTrust > and Equifax). TLS clients were CounterPath Bria (BlackBerry) and CSipSimple > (Android). The test was done with OpenSSL 1.0.1 and OpenSSL 1.0.2. Both > versions work as expected. However, if you use well-known (commercial) > certificates, you might use different certificate chains. For this, you need > at least OpenSSL 1.0.2. If you use your own certificate authority without a > certificate chain, OpenSSL 1.0.1 is sufficient. > > Because no new symbol of OpenSSL was used, I do not see a reason why this > patch should not be compatible with older OpenSSL releases. Therefore, no > if/def/version is introduced in this patch. > > > Thanks, > > Alexander Traud > >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
