Summary: | ASTERISK-19268: Need to specify TLS peer verification policy per-peer | ||
Reporter: | Daniel Pocock (daniel.pocock) | Labels: | |
Date Opened: | 2012-01-29 15:22:49.000-0600 | Date Closed: | 2012-01-30 16:51:19.000-0600 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
Versions: | 1.8.9.0 | Frequency of Occurrence | Constant |
Related Issues: | |||
Environment: | all | Attachments: | |
Description: | For inter-domain routing of SIP messages, it is recommended that each proxy/PBX does full TLS verification Here is the RFC on the subject, it provides very useful background about this bug: http://tools.ietf.org/html/rfc5922 Example: Asterisk receives a SIP connection from Kamailio: - Asterisk should demand a client certificate from Kamailio - Kamailio will present it's server certificate as a client certificate - Asterisk should verify that the cert is signed by a trusted CA - Asterisk should perform verification of the CN and/or subjectAltName/dNSName entries against each message that comes in However, the same Asterisk server, when receiving a TLS connection from a trusted peer (authentication by shared secret) does not need to demand a certificate - in this case, certificate exchange is unidirection (just like the typical scenario where you connect to a HTTPS web server) To facilitate this, Asterisk probably needs a new parameter: tls_verify_client=yes|no that can be specified in the [general] section and the individual [peer] sections of sip.conf, e.g. {code} [general] # demand a client certificate/two way certificate exchange from unknown peers tls_verify_client=yes [8001] # user connects with TLS, but with no client cert transport=tls tls_verify_client=no # he uses a password secret=daniel {code} | ||
Comments: | By: Matt Jordan (mjordan) 2012-01-30 16:51:10.982-0600 Features requests are no longer submitted to or accepted through the issue tracker. Features requests are openly discussed on the mailing lists [1] and Asterisk IRC channels and made note of by Bug Marshals. [1] http://www.asterisk.org/support/mailing-lists By: Daniel Pocock (daniel.pocock) 2012-01-30 18:16:44.743-0600 It is probably somewhere in between bug-report and feature-request: it is stuff that is mandatory for Asterisk to comply with the SIP standard with respect to TLS: http://tools.ietf.org/html/rfc3261#section-26.3.1 26.3.1 Requirements for Implementers of SIP "Proxy servers, redirect servers, and registrars MUST implement TLS, and MUST support both mutual and one-way authentication." However, it is not something that causes Asterisk to crash, so it is not an outright bug. It is a mandatory part of the SIP standard that is not implemented, so it is not just a wish-list item or user preference. By: Tzafrir Cohen (tzafrir) 2017-12-25 08:24:56.399-0600 Doing some hose-keeping and this issue is referred by an old Debian bug. I believe that this issue is at least mostly fixed by chan_pjsip, as there is a per-endpoint configuration of verification. |