diff options
| author | Alexander Traud <pabstraud@compuserve.com> | 2015-05-10 16:55:24 +0200 |
|---|---|---|
| committer | Alexander Traud <pabstraud@compuserve.com> | 2015-05-15 10:01:04 +0200 |
| commit | 8f3f414d8c8f80a2b0b23dd683a0adef25ddfa50 (patch) | |
| tree | 57667632ef38c127025b43898b0b8a5acc0db1f0 /configs | |
| parent | 32eb812b28ffc1745e08cb507d8c4409d3ed297a (diff) | |
tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.
When a client connects to a server via SSL/TLS, the server commonly utilizes an
RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if
the server socket is configured with a certificate for either one of those, it
would lose its compatibility with RSA-only clients.
Now, the server socket can be configured with up to one RSA, ECDSA and DSA key
each. For example, if a client is not compatible with SHA-2 hashed certificates
like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy
clients and ECDSA/SHA-2 for everyone else.
ASTERISK-24815 #close
Reported by: Alexander Traud
patches:
tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520)
Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
Diffstat (limited to 'configs')
| -rw-r--r-- | configs/samples/pjsip.conf.sample | 8 | ||||
| -rw-r--r-- | configs/samples/sip.conf.sample | 7 |
2 files changed, 13 insertions, 2 deletions
diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample index 5e3757175..276e214e9 100644 --- a/configs/samples/pjsip.conf.sample +++ b/configs/samples/pjsip.conf.sample @@ -765,7 +765,13 @@ ; (default: "") ;cert_file= ; Certificate file for endpoint TLS ONLY ; Will read .crt or .pem file but only uses cert, - ; a .key file must be specified via priv_key_file + ; a .key file must be specified via priv_key_file. + ; Since PJProject version 2.5: If the file name ends in _rsa, + ; for example "asterisk_rsa.pem", the files "asterisk_dsa.pem" + ; and/or "asterisk_ecc.pem" are loaded (certificate, inter- + ; mediates, private key), to support multiple algorithms for + ; server authentication (RSA, DSA, ECDSA). If the chains are + ; different, at least OpenSSL 1.0.2 is required. ; (default: "") ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "") ;domain= ; Domain the transport comes from (default: "") diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample index e52fa6db2..71e3fb72b 100644 --- a/configs/samples/sip.conf.sample +++ b/configs/samples/sip.conf.sample @@ -561,7 +561,12 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;------------------------ TLS settings ------------------------------------------------------------ ;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections ; The certificates must be sorted starting with the subject's certificate - ; and followed by intermediate CA certificates if applicable. + ; and followed by intermediate CA certificates if applicable. If the + ; file name ends in _rsa, for example "asterisk_rsa.pem", the files + ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are loaded + ; (certificate, intermediates, private key), to support multiple + ; algorithms for server authentication (RSA, DSA, ECDSA). If the chains + ; are different, at least OpenSSL 1.0.2 is required. ; Default is to look for "asterisk.pem" in current directory ;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections. |