| Summary: | ASTERISK-25409: Asterisk not reading entire TLSCERTFILE | ||
| Reporter: | Sam Ultima (samultima) | Labels: | |
| Date Opened: | 2015-09-21 16:08:20 | Date Closed: | 2015-10-06 09:34:27 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
| Versions: | 13.5.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | SHMZ release 6.5 (Final), FreePBX 12.0.76.1, PBX Firmware: 6.12.65-30 , PBX Service Pack: 1.0.0.0, 4GB ram, dual processor cores. | Attachments: | |
| Description: | We have setup TLS+SRTP and thoroughly tested to verify successful operation using a single phone and security certificate.
The problem starts when we added another phone then appended phone security certificate to the TLSCERT file. We have tried rearranging these without success. This file reads the first certificate at the top while others are ignored, causing phones to fail registration. logs & config files are attached. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2015-09-21 16:08:21.920-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Sam Ultima (samultima) 2015-09-21 16:11:47.173-0500 full log w/ verbose 5 settings. By: Sam Ultima (samultima) 2015-09-21 16:12:41.141-0500 Asterisk TLSCERT file with IP-phone security certificates By: Sam Ultima (samultima) 2015-09-21 16:14:32.207-0500 configs By: Joshua C. Colp (jcolp) 2015-09-30 10:23:27.428-0500 Can you provide more information on exactly how you want this to work? The "tlscertfile" option is for the certificate presented on outgoing connections to another device and only allows specifying one certificate (or a chain). I'd expect each individual phone to have a certificate issued from a certificate authority, and that certificate authority be available in Asterisk for verification. I'd also expect the certificate authority to be present on the phone so it can verify the certificate. If you really do need individual outgoing certificates in chan_sip this is not currently possible and would require substantial work to chan_sip to support. By: Sam Ultima (samultima) 2015-10-02 12:08:13.026-0500 How we wanted this to work was for each phone to have it's own generated certificate, assuring a single user's privacy and security. There is no official certificate of authority or configuration for each phone; is this required? could you provide a command example to generate CA? To get back to your questions, This does work on a single phone and secures both signaling and RTP. I realize this might require "substantial work" to have Asterisk support multiple certificate chains and feel this would be a huge security benefit, assuring that another malicious user/employee/customer can not utilize the "shared certificate" to exploit another phone. (this defeats the purpose of encryption) Could you please submit this to your development team for consideration? By: Joshua C. Colp (jcolp) 2015-10-02 12:14:52.457-0500 A tutorial is at https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial which includes key generation. Each phone can have an issued certificate, but they are each issued from the same certificate authority. As for submitting to the development team Asterisk is an open source project, development occurs as a result of what people would like to work on or issues they have run into. By: Rusty Newton (rnewton) 2015-10-06 09:34:28.003-0500 Closing this out as Not A Bug. At this point we would consider this a feature request with no patch provided. Feature requests are not tracked on the issue tracker. Feel free to submit a patch in the future and we can open a new issue or else you might discuss the feature in a community channel such as the mailing lists or forums. https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines http://www.asterisk.org/community/discuss | ||