I've just come across this issue:
https://issues.asterisk.org/jira/browse/ASTERISK-17727
I am strongly in support of TLS and I believe this issue will be a
stumbling block for more and more users - because more and more CAs are
using the intermediate certificate chains
For example, the free startssl.com certs are trusted by Android phones
now. I have a UA running on my phone against a SIP proxy with Kamailio.
I have the free cert and the intermediate cert in a single pem file.
It all works.
As noted in the bug, there may be phones that don't supported chain
certs - but that shouldn't prevent the rest of us using them. People
with such phones (which are becoming the minority) can just not use
chained certs.
There is no reason not to apply the supplied patch - that patch for
Asterisk just makes it use the same OpenSSL function that Kamailio is
using to load the chain
