Bug#684649: various TLS faults/limitations in Asterisk

Daniel Pocock daniel at pocock.com.au
Sun Aug 12 12:56:43 UTC 2012 

Package: asterisk
Version: 1:1.8.13.0~dfsg-1+b1
Severity: important

There are now two severe issues open for Asterisk TLS support

There are more known issues in the Digium bug tracker (Jira) for Asterisk:

https://issues.asterisk.org/jira/browse/19147
- no support for connecting to peers with subjectAltName in certificates
- any peer on the public Internet could be using such a cert, and
Asterisk will mysteriously fail to connect to the peer
- these types of certificate are likely to become much more common
during the life of wheezy

https://issues.asterisk.org/jira/browse/ASTERISK-19268
- no support for verifying client peer certificates
- a vital element of federated SIP security and RFC 5922, not an
enthusiastic response from Digium

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683956
- existing issue tracked in Debian: can't connect to Asterisk v1.8.13 at
all using TLS (but it is OK in v1.8.8), wheezy has the broken version

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684646
- Asterisk fails to receive BYE from TLS peer (e.g. phone), keeps
channels open after call was supposed to finish

Summary of issues and TLS in Asterisk:
--------------------------------------

It falls way below the standard suggested in RFC 5922, so it is only
really suitable for a `closed' network, e.g. connecting phones to the
server - not for connecting Asterisk to third parties across the Internet.

Suggestions
-----------

These are some options to consider:

a) strongly worded warning about these limitations for README.Debian

b) make a separate asterisk-tls package, and include the warning in the
package description too

c) compile the wheezy packages WITHOUT any TLS support - put
instructions in README.Debian for people to compile it themselves

d) any such warnings could also refer to the various guides about using
a SIP proxy (repro or kamailio) to handle all the TLS connectivity, both
of these proxies have a much higher standard of coding for TLS, and they
support all of RFC 5922

More information about the Pkg-voip-maintainers mailing list