Details

    • Mantis ID:
      19156
    • Regression:
      No

      Description

      Dear All, dear Digium,

      I use TLS on asterisk 1.8.1 with a cert file of trustwave.com CA root.

      I expected to load the certificate chain in the "tlscafile" (define in sip.conf) and the certificate released from the CA root in the "tlscertfile" (define in sip.conf).

      I see that the certificate chain is composed with the intermediate certificate of TrustWave CA (SecureTrust) and the root certificate of Entrust CA.

      So I copy the intermediate certificate of TrustWave CA in the tlscafile and append to that the root certificate of Entrust CA.

      Instead, I copy the certificate released form the CA in the tlscertfile.

      But after that, seems that asterisk read only the first certificate of the chain in the file tlscafile and doesn't read both certificate (intermediate cert of TrustWave and root cert of Entrust). So the general chain of the certificate (CA, intermediate cert and root cert) results UNTRUSTED.

      I think that this a bug.

      tlscafile
      tlscertfile

        Activity

        Hide
        Daniel Pocock added a comment -

        I fully support this patch:

        • this will not break anything
        • it adds significant benefit, because TLS is becoming much more common in the fight against SIPspam
        • it adds significant benefit, because many low cost and free CAs (such as Startssl.com and Cacert.org) use intermediate certs.
        • The Thawte 123 low cost certs are also signed with an intermediate cert, my Polycom phone accepts these certs on the HTTPS provisioning, so I suspect they are also good for SIPS
        Show
        Daniel Pocock added a comment - I fully support this patch: makes Asterisk consistent with the new TLS module in Kamailio, and many other apps using the method SSL_CTX_use_certificate_chain_file() from OpenSSL is the preferred method of loading a cert, according to the official OpenSSL docs http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html this will not break anything it adds significant benefit, because TLS is becoming much more common in the fight against SIPspam it adds significant benefit, because many low cost and free CAs (such as Startssl.com and Cacert.org) use intermediate certs. The Thawte 123 low cost certs are also signed with an intermediate cert, my Polycom phone accepts these certs on the HTTPS provisioning, so I suspect they are also good for SIPS
        Hide
        Matthias Nagl added a comment -

        I also support this patch as it seems to be necessary to support StartSSL (and many other) certificates and it works and is still necessary for Asterisk 10.1.3.

        Show
        Matthias Nagl added a comment - I also support this patch as it seems to be necessary to support StartSSL (and many other) certificates and it works and is still necessary for Asterisk 10.1.3.
        Hide
        Guillaume Martres added a comment -

        Any news on this? This still seems to be a problem with Asterisk 11.7.0 and a StartSSL certificate.

        Show
        Guillaume Martres added a comment - Any news on this? This still seems to be a problem with Asterisk 11.7.0 and a StartSSL certificate.
        Hide
        Guillaume Martres added a comment -

        While discussing this on IRC, concerns were raised concerning support of DER files since SSL_CTX_use_certificate_chain_file do not support them, but Asterisk currently pass SSL_FILETYPE_PEM to SSL_CTX_use_certificate_file so this doesn't actually break anything.
        It's even recommended by the OpenSSL documentation: "SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage. " https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

        Show
        Guillaume Martres added a comment - While discussing this on IRC, concerns were raised concerning support of DER files since SSL_CTX_use_certificate_chain_file do not support them, but Asterisk currently pass SSL_FILETYPE_PEM to SSL_CTX_use_certificate_file so this doesn't actually break anything. It's even recommended by the OpenSSL documentation: "SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage. " https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
        Hide
        Guillaume Martres added a comment -

        Add documentation on the certificate chain.

        Show
        Guillaume Martres added a comment - Add documentation on the certificate chain.

          People

          • Watchers:
            10 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development