asterisk users - Dec 2021 - PJSIP to Twilio over TLS - wildcard cert problem

On Thu, Dec 2, 2021 at 10:18 AM James Cloos <cloos at jhcloos.com> wrote:
> >>>>> "KT" == Kingsley Tart <kingsley at
dns99.co.uk> writes:
>
> KT> I can't get Asterisk to send a SIP call to Twilio over TLS
> KT> because it complains about Twilio's wildcard certificate.
>
> the sip rfc claims that wildcard certs should be invalid for sip.
>
> digium insisted on following that advise as set in stone, and so
> asterisk refuses such certs.  i doubt that stance is different
> under sangoma.
>
> the only workaround is to remind twil of the rfc and get them to
> replace the wildcard with an rfc-copliant cert.  at least for the
> sip ports.
>
To be specific, this is in PJSIP land. There was no insisting or anything
and it wasn't a decision we originally made. It's the way that Teluu
implemented the TLS transport in PJSIP and since we use PJSIP then it
applies to us. If someone contributed a change to Asterisk to make it
configurable in some way, then we'd certainly review it. At this point
though noone has done such a thing.

-- 
Joshua C. Colp
Asterisk Technical Lead
Sangoma Technologies
Check us out at www.sangoma.com and www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20211202/06d6a95e/attachment.html>

As far as I'm aware Josh, it doesnt stop a call from happening - I've
had
the same "errors" pop up when using Twilio and Simwood but calls
continue
just fine.

On Thu, Dec 2, 2021 at 2:30 PM Joshua C. Colp <jcolp at sangoma.com>
wrote:
> On Thu, Dec 2, 2021 at 10:18 AM James Cloos <cloos at jhcloos.com>
wrote:
>
>> >>>>> "KT" == Kingsley Tart <kingsley at
dns99.co.uk> writes:
>>
>> KT> I can't get Asterisk to send a SIP call to Twilio over TLS
>> KT> because it complains about Twilio's wildcard certificate.
>>
>> the sip rfc claims that wildcard certs should be invalid for sip.
>>
>> digium insisted on following that advise as set in stone, and so
>> asterisk refuses such certs.  i doubt that stance is different
>> under sangoma.
>>
>> the only workaround is to remind twil of the rfc and get them to
>> replace the wildcard with an rfc-copliant cert.  at least for the
>> sip ports.
>>
>
> To be specific, this is in PJSIP land. There was no insisting or anything
> and it wasn't a decision we originally made. It's the way that
Teluu
> implemented the TLS transport in PJSIP and since we use PJSIP then it
> applies to us. If someone contributed a change to Asterisk to make it
> configurable in some way, then we'd certainly review it. At this point
> though noone has done such a thing.
>
> --
> Joshua C. Colp
> Asterisk Technical Lead
> Sangoma Technologies
> Check us out at www.sangoma.com and www.asterisk.org
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20211202/4c9547b6/attachment.html>

>>>>> "JC" == Joshua C Colp <jcolp at
sangoma.com> writes:
JC> To be specific, this is in PJSIP land. There was no insisting or anything
JC> and it wasn't a decision we originally made. It's the way that
Teluu
JC> implemented the TLS transport in PJSIP and since we use PJSIP then it
JC> applies to us.

my recall is more likely a bit older than that, before pjsip.

there was a thread either in bugs or on one of the lists.

but as later notes pointed out (and i really ought to have thought of ☹)
it is only relevant, as you noted, if verify is on.

at the time i was a fan on wildcards.

then le came along, and then added dns01 support.

now i prefer a separate cert each plus a 3/1/1 tlsa for each port.

but at the time it was anoying.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6