Summary:ASTERISK-16450: Only one certificate, multiple domains
Reporter:Olle Johansson (oej)Labels:
Date Opened:2010-07-28 09:32:14Date Closed:
Versions:Frequency of
Description:Asterisk has since a long time supported hosting of multiple SIP domains. The TLS implementation only supports ONE certificate, meaning that we only support TLS for ONE domain without using subject alt names, something that is not widely implemented.

I consider this a bug in the TLS implementation. New features should follow the existing design, not break it. For 1.8 we need to be able to have one certificate (and one TLS socket) for each domain.
Comments:By: Terry Wilson (twilson) 2011-04-19 12:36:59

According to https://datatracker.ietf.org/doc/rfc5922/ certificates for SIP devices should be using SubjectAltNames and not Common Name. I'm working on a patch to add SubjectAltName support to Asterisk's TCP/TLS stuff. At SIPit 28, it seemed that a lot of people were using the SubjectAltNames in their implementations (because Asterisk was failing when other implementations were not).

It seems hacky to have to have lots of different certificates for a single server, but I can see how it would be useful for dealing with legacy equipment.

By: Olle Johansson (oej) 2011-04-20 01:03:47

It doesn't say we should NOT use common name, but that we should prefer SAN URI's, then SAN domains (only if we need multiple domains).

Good thing to hear that implementations are finally coming, I've been running tutorials about this at SIPits for years... :-)

It's impossible to buy certs with SAN SIP uri's today. It is possible, but very expensive to get those with SAN domains. It's cheap to get certs with CNs. So we need to support having multiple TCP ports open with separate certs.