tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket.

When a client connects to a server via SSL/TLS, the server commonly utilizes an RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if the server socket is configured with a certificate for either one of those, it would lose its compatibility with RSA-only clients. Now, the server socket can be configured with up to one RSA, ECDSA and DSA key each. For example, if a client is not compatible with SHA-2 hashed certificates like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else. ASTERISK-24815 #close Reported by: Alexander Traud patches: tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520) Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
2025-10-16 01:36:48 +00:00 · 2015-05-10 16:55:24 +02:00
parent 32eb812b28
commit 8f3f414d8c
3 changed files with 40 additions and 2 deletions
--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@@ -561,7 +561,12 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;------------------------ TLS settings ------------------------------------------------------------
 ;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections
                                        ; The certificates must be sorted starting with the subject's certificate
-                                        ; and followed by intermediate CA certificates if applicable.
+                                        ; and followed by intermediate CA certificates if applicable. If the
+                                        ; file name ends in _rsa, for example "asterisk_rsa.pem", the files
+                                        ; "asterisk_dsa.pem" and/or "asterisk_ecc.pem" are loaded
+                                        ; (certificate, intermediates, private key), to support multiple
+                                        ; algorithms for server authentication (RSA, DSA, ECDSA). If the chains
+                                        ; are different, at least OpenSSL 1.0.2 is required.
                                        ; Default is to look for "asterisk.pem" in current directory

 ;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections.