| Summary: | ASTERISK-24815: [patch] Enable TLS Dual-Certificates (ECC+RSA) | ||
| Reporter: | Alexander Traud (traud) | Labels: | |
| Date Opened: | 2015-02-20 14:05:46.000-0600 | Date Closed: | 2015-05-17 14:37:25 |
| Priority: | Minor | Regression? | |
| Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
| Versions: | SVN | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) tls_rsa_ecc_dsa.patch | |
| Description: | Already works for Asterisk as the client. Enables dual- (or triple-) certificates for Asterisk as the server. When a client connects via SSL/TLS, the server uses a RSA key-pair usually. However, more such algorithms exist like DSA and ECDSA. If you go for one of those, you would loose compatibility to RSA-only clients. This patch allows you to provide up-to one RSA, ECDSA and DSA key each. Copied over from the Apache HTTP server project, [added|http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile] in version 2.4.8.
*Benefit* If some of your VoIP clients are not compatible with SHA-2 hashed certificates – for example [Nokia mobile phones|http://discussions.nokia.com/t5/Symbian-Devices/SHA2-support-on-Nikia-C5-E71-and-E72/m-p/2532624#M365219] – you can use RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else. *Usage* {{tlscertfile=/etc/asterisk/example_rsa.pem}} Then, the code of this patch picks that and searches for files called {{example_ecc.pem}} and {{example_dsa.pem}} automatically. Because OpenSSL prefers RSA over ECDSA, see {{openssl ciphers -v [DEFAULT|http://www.openssl.org/docs/apps/ciphers.html]}} consider re-ordering your cipher suites in sip.conf, for example: {{tlscipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AES128-SHA:RC4-SHA:-ECCdraft:-COMPLEMENTOFDEFAULT}} to use ECDSA (and PFS) when offered by the client. If you use well-known (commercial) certificates, you might use different certificate chains. For this, support [was added|https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943] in OpenSSL 1.0.2. Previously, only the chain of the first certificate was delivered. To compile Asterisk together with that OpenSSL version, for example in Debian:{noformat}sudo apt-get -y build-dep openssl wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a-1.debian.tar.xz wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a.orig.tar.gz wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a-1.dsc wget github.com/PeterMosmans/openssl/archive/1.0.2-chacha.zip unzip -qq 1.0.2*chacha.zip cd openssl-1.0.2*chacha wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2a-1.debian.tar.xz tar xf openssl_1.0.2* mkdir include/openssl cp crypto/idea/idea.h include/openssl/ cp crypto/mdc2/mdc2.h include/openssl/ wget www.traud.de/voip/sip/patches/openssl/debian-targets.patch mv debian-targets.patch debian/patches/ wget www.traud.de/voip/sip/patches/openssl/engines-path.patch mv engines-path.patch debian/patches/ wget www.traud.de/voip/sip/patches/openssl/openssl-pod-misspell.patch mv openssl-pod-misspell.patch debian/patches/ wget www.traud.de/voip/sip/patches/openssl/version-script.patch mv version-script.patch debian/patches/ dpkg-buildpackage -us -uc -nc cd /usr/src/asterisk* sudo service asterisk stop sudo make distclean LDFLAGS='-Wl,-rpath,/usr/src/openssl-1.0.2-chacha' ./configure --with-ssl='/usr/src/openssl-1.0.2-chacha' make sudo make install{noformat}This patch was tested in Ubuntu 14.04 LTS with a certificate from [Comodo|https://www.gogetssl.com/domain-validation/comodo-positive-ssl/] (ECC; chains-up to AddTrust and UTN) and [RapidSSL|https://www.gogetssl.com/domain-validation/rapidssl-standard/] (RSA; chains-up to GeoTrust and Equifax). TLS clients were [CounterPath Bria|http://appworld.blackberry.com/webstore/content/28329074/] (BlackBerry) and [CSipSimple|https://play.google.com/store/apps/details?id=com.csipsimple] (Android). | ||
| Comments: | By: Rusty Newton (rnewton) 2015-02-20 17:02:13.827-0600 Thanks for the contribution! If you'd like your contribution to be included faster, you should submit your patch for code review by the Asterisk Developer Community. To do so, please follow the Code Review [1] instructions on the wiki. Be sure to: * Verify that your patch conforms to the Coding Guidelines [2] * Review the Code Review Checklist [3] for common items reviewers will look for * If necessary, provide tests for the Asterisk Test Suite that verify the correctness of your patch [4] * As this is a new feature, please read the New Feature Guidelines [5] * Make sure your new feature applies cleanly to Asterisk trunk When ready, submit your patch and any tests to Review Board [6] for code review. Thanks! [1] https://wiki.asterisk.org/wiki/display/AST/Code+Review [2] https://wiki.asterisk.org/wiki/display/AST/Coding+Guidelines [3] https://wiki.asterisk.org/wiki/display/AST/Code+Review+Checklist [4] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Test+Suite+Documentation [5] https://wiki.asterisk.org/wiki/display/AST/New+Feature+Guidelines [6] https://wiki.asterisk.org/wiki/display/AST/Review+Board+Usage By: Alexander Traud (traud) 2015-05-05 03:39:46.979-0500 This issue is still on Review Board. However there, I am not able to log-in anymore. A) Is it still possible to get a final Ship-it! there? Or B) Shall I move the current version of the patch over to Gerrit? By: Richard Mudgett (rmudgett) 2015-05-05 11:42:52.195-0500 Reviewboard is no longer active since Asterisk switched from SVN to Git. You need to put the patch up on Gerrit. Please note that with git you need to create the commit message as part of the review. https://wiki.asterisk.org/wiki/display/AST/Commit+Messages By: Rusty Newton (rnewton) 2015-05-17 14:37:25.275-0500 Fix was merged so I'm closing this out. Auto-close wasn't working. | ||