diff options
author | Alexander Traud <pabstraud@compuserve.com> | 2015-05-10 16:55:24 +0200 |
---|---|---|
committer | Alexander Traud <pabstraud@compuserve.com> | 2015-05-15 10:01:04 +0200 |
commit | 8f3f414d8c8f80a2b0b23dd683a0adef25ddfa50 (patch) | |
tree | 57667632ef38c127025b43898b0b8a5acc0db1f0 /configs/samples/sip.conf.sample | |
parent | 32eb812b28ffc1745e08cb507d8c4409d3ed297a (diff) |
tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
When a client connects to a server via SSL/TLS, the server commonly utilizes an
RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if
the server socket is configured with a certificate for either one of those, it
would lose its compatibility with RSA-only clients.
Now, the server socket can be configured with up to one RSA, ECDSA and DSA key
each. For example, if a client is not compatible with SHA-2 hashed certificates
like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy
clients and ECDSA/SHA-2 for everyone else.
ASTERISK-24815 #close
Reported by: Alexander Traud
patches:
tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520)
Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
Diffstat (limited to 'configs/samples/sip.conf.sample')
-rw-r--r-- | configs/samples/sip.conf.sample | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample index e52fa6db2..71e3fb72b 100644 --- a/configs/samples/sip.conf.sample +++ b/configs/samples/sip.conf.sample @@ -561,7 +561,12 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;------------------------ TLS settings ------------------------------------------------------------ ;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections ; The certificates must be sorted starting with the subject's certificate - ; and followed by intermediate CA certificates if applicable. + ; and followed by intermediate CA certificates if applicable. If the + ; file name ends in _rsa, for example "asterisk_rsa.pem", the files + ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are loaded + ; (certificate, intermediates, private key), to support multiple + ; algorithms for server authentication (RSA, DSA, ECDSA). If the chains + ; are different, at least OpenSSL 1.0.2 is required. ; Default is to look for "asterisk.pem" in current directory ;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections. |