From 8f3f414d8c8f80a2b0b23dd683a0adef25ddfa50 Mon Sep 17 00:00:00 2001 From: Alexander Traud Date: Sun, 10 May 2015 16:55:24 +0200 Subject: tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket. When a client connects to a server via SSL/TLS, the server commonly utilizes an RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if the server socket is configured with a certificate for either one of those, it would lose its compatibility with RSA-only clients. Now, the server socket can be configured with up to one RSA, ECDSA and DSA key each. For example, if a client is not compatible with SHA-2 hashed certificates like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else. ASTERISK-24815 #close Reported by: Alexander Traud patches: tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520) Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a --- configs/samples/pjsip.conf.sample | 8 +++++++- configs/samples/sip.conf.sample | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'configs') diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample index 5e3757175..276e214e9 100644 --- a/configs/samples/pjsip.conf.sample +++ b/configs/samples/pjsip.conf.sample @@ -765,7 +765,13 @@ ; (default: "") ;cert_file= ; Certificate file for endpoint TLS ONLY ; Will read .crt or .pem file but only uses cert, - ; a .key file must be specified via priv_key_file + ; a .key file must be specified via priv_key_file. + ; Since PJProject version 2.5: If the file name ends in _rsa, + ; for example "asterisk_rsa.pem", the files "asterisk_dsa.pem" + ; and/or "asterisk_ecc.pem" are loaded (certificate, inter- + ; mediates, private key), to support multiple algorithms for + ; server authentication (RSA, DSA, ECDSA). If the chains are + ; different, at least OpenSSL 1.0.2 is required. ; (default: "") ;cipher= ; Preferred cryptography cipher names TLS ONLY (default: "") ;domain= ; Domain the transport comes from (default: "") diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample index e52fa6db2..71e3fb72b 100644 --- a/configs/samples/sip.conf.sample +++ b/configs/samples/sip.conf.sample @@ -561,7 +561,12 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;------------------------ TLS settings ------------------------------------------------------------ ;tlscertfile= ; Certificate chain (*.pem format only) to use for TLS connections ; The certificates must be sorted starting with the subject's certificate - ; and followed by intermediate CA certificates if applicable. + ; and followed by intermediate CA certificates if applicable. If the + ; file name ends in _rsa, for example "asterisk_rsa.pem", the files + ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are loaded + ; (certificate, intermediates, private key), to support multiple + ; algorithms for server authentication (RSA, DSA, ECDSA). If the chains + ; are different, at least OpenSSL 1.0.2 is required. ; Default is to look for "asterisk.pem" in current directory ;tlsprivatekey= ; Private key file (*.pem format only) for TLS connections. -- cgit v1.2.3