asterisk users - Dec 2021 - PJSIP to Twilio over TLS - wildcard cert problem

>>>>> "KT" == Kingsley Tart <kingsley at
dns99.co.uk> writes:
KT> I can't get Asterisk to send a SIP call to Twilio over TLS
KT> because it complains about Twilio's wildcard certificate.

the sip rfc claims that wildcard certs should be invalid for sip.

digium insisted on following that advise as set in stone, and so
asterisk refuses such certs.  i doubt that stance is different
under sangoma.

the only workaround is to remind twil of the rfc and get them to
replace the wildcard with an rfc-copliant cert.  at least for the
sip ports.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

On Thu, Dec 2, 2021 at 10:18 AM James Cloos <cloos at jhcloos.com> wrote:
> >>>>> "KT" == Kingsley Tart <kingsley at
dns99.co.uk> writes:
>
> KT> I can't get Asterisk to send a SIP call to Twilio over TLS
> KT> because it complains about Twilio's wildcard certificate.
>
> the sip rfc claims that wildcard certs should be invalid for sip.
>
> digium insisted on following that advise as set in stone, and so
> asterisk refuses such certs.  i doubt that stance is different
> under sangoma.
>
> the only workaround is to remind twil of the rfc and get them to
> replace the wildcard with an rfc-copliant cert.  at least for the
> sip ports.
>
To be specific, this is in PJSIP land. There was no insisting or anything
and it wasn't a decision we originally made. It's the way that Teluu
implemented the TLS transport in PJSIP and since we use PJSIP then it
applies to us. If someone contributed a change to Asterisk to make it
configurable in some way, then we'd certainly review it. At this point
though noone has done such a thing.

-- 
Joshua C. Colp
Asterisk Technical Lead
Sangoma Technologies
Check us out at www.sangoma.com and www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20211202/06d6a95e/attachment.html>