diff options
author | Alexander Traud <pabstraud@compuserve.com> | 2015-05-10 16:55:24 +0200 |
---|---|---|
committer | Alexander Traud <pabstraud@compuserve.com> | 2015-05-15 10:01:04 +0200 |
commit | 8f3f414d8c8f80a2b0b23dd683a0adef25ddfa50 (patch) | |
tree | 57667632ef38c127025b43898b0b8a5acc0db1f0 /configs/samples/pjsip.conf.sample | |
parent | 32eb812b28ffc1745e08cb507d8c4409d3ed297a (diff) |
tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
When a client connects to a server via SSL/TLS, the server commonly utilizes an
RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if
the server socket is configured with a certificate for either one of those, it
would lose its compatibility with RSA-only clients.
Now, the server socket can be configured with up to one RSA, ECDSA and DSA key
each. For example, if a client is not compatible with SHA-2 hashed certificates
like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy
clients and ECDSA/SHA-2 for everyone else.
ASTERISK-24815 #close
Reported by: Alexander Traud
patches:
tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520)
Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
Diffstat (limited to 'configs/samples/pjsip.conf.sample')
-rw-r--r-- | configs/samples/pjsip.conf.sample | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample index 5e3757175..276e214e9 100644 --- a/configs/samples/pjsip.conf.sample +++ b/configs/samples/pjsip.conf.sample @@ -765,7 +765,13 @@ ; (default: "") ;cert_file= ; Certificate file for endpoint TLS ONLY ; Will read .crt or .pem file but only uses cert, - ; a .key file must be specified via priv_key_file + ; a .key file must be specified via priv_key_file. + ; Since PJProject version 2.5: If the file name ends in _rsa, + ; for example "asterisk_rsa.pem", the files "asterisk_dsa.pem" + ; and/or "asterisk_ecc.pem" are loaded (certificate, inter- + ; mediates, private key), to support multiple algorithms for + ; server authentication (RSA, DSA, ECDSA). If the chains are + ; different, at least OpenSSL 1.0.2 is required. ; (default: "") ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "") ;domain= ; Domain the transport comes from (default: "") |