[asterisk-dev] [Code Review] 4441: Enable TLS Dual-Certificates (ECC+RSA)

Mon, 23 Feb 2015 08:17:08 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4441/
-----------------------------------------------------------

Review request for Asterisk Developers.


Bugs: ASTERISK-24815
    https://issues.asterisk.org/jira/browse/ASTERISK-24815


Repository: Asterisk


Description
-------

Already works for Asterisk as the client. Enables dual- (or triple-) 
certificates for Asterisk as the TLS server. When a client connects via 
SSL/TLS, the server uses a RSA key-pair usually. However, more such algorithms 
exist like DSA and ECDSA. If you go for one of those, you would loose 
compatibility to RSA-only clients. This patch allows you to provide up-to one 
RSA, ECDSA and DSA key each (= one key or two keys or three keys). Copied over 
from the Apache HTTP server project, added in version 2.4.8.

Usage:
tlscertfile=/etc/asterisk/example_rsa.pem
Then, the code of this patch picks that path, filename, and searches for files 
called example_ecc.pem and example_dsa.pem automatically.


Diffs
-----

  trunk/main/tcptls.c 431938 

Diff: https://reviewboard.asterisk.org/r/4441/diff/


Testing
-------

by developer, manually

This patch was tested in Ubuntu 14.04 LTS with a certificate from Comodo (ECC; 
chains-up to AddTrust and UTN) and RapidSSL (RSA; chains-up to GeoTrust and 
Equifax). TLS clients were CounterPath Bria (BlackBerry) and CSipSimple 
(Android). The test was done with OpenSSL 1.0.1 and OpenSSL 1.0.2. Both 
versions work as expected. However, if you use well-known (commercial) 
certificates, you might use different certificate chains. For this, you need at 
least OpenSSL 1.0.2. If you use your own certificate authority without a 
certificate chain, OpenSSL 1.0.1 is sufficient.

Because no new symbol of OpenSSL was used, I do not see a reason why this patch 
should not be compatible with older OpenSSL releases. Therefore, no 
if/def/version is introduced in this patch.


Thanks,

Alexander Traud


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

Reply via email to