On Sun, Jul 7, 2019, at 11:17 AM, hw wrote: <snip>
> > Thanks, setting 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' seems to do > the trick. However: > > First I set 'tlsdontverifyserver=no' and issued a 'sip reload'. There > was no error message. I found that suspicious and restarted asterisk, > and the error message came back. > > Only then I added 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' (which > was unset before), and after a 'sip reload', the error message was gone. > So far, it hasn't come back even when restarting asterisk. > > This shows that 'sip reload' doesn't really do a reload in that a > certificate which hasn't been verified continues to be accepted after > the configuration changed to now require verifying the certificate. This > might be a security problem, and if not, it is certainly good for > surprises and can create much confusion. > > Is it supposed to be like this, or should I make a bug report? Support for this probably wasn't fully done to support such behavior. You could file a bug report but support for chan_sip is provided by the community and there is no time frame on when (or if) such a thing would be looked into so keep that in mind. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users