| Summary: | ASTERISK-30334: res_pjsip: ca_list_path directive in pjsip.conf doesn't verify against all certificates | ||
| Reporter: | Ray Crumrine (proftech) | Labels: | |
| Date Opened: | 2022-11-26 11:12:48.000-0600 | Date Closed: | |
| Priority: | Minor | Regression? | |
| Status: | Open/New | Components: | Resources/res_pjsip |
| Versions: | 18.15.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Debian 10 | Attachments: | |
| Description: | Don't know anything about kamailio but there is a discussion about this on Github. https://github.com/kamailio/kamailio/issues/2682
Was unable to make "ca_list_path" directive work. Tried about 3 different versions of the command. Works fine with the "old" way of specifying the certificate file. i.e., "ca_list_file=/path-to/ca_file.pem" Only reads one file [the first one]. Always sends "untrusted" for the second | ||
| Comments: | By: Asterisk Team (asteriskteam) 2022-11-26 11:12:51.959-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Joshua C. Colp (jcolp) 2022-11-26 13:09:52.986-0600 What does sends "untrusted" actually mean? As well, from an Asterisk perspective we just pass this to PJSIP. If this is accepted as an issue then ultimately it would need to be fixed there and upstream in PJSIP. By: Joshua C. Colp (jcolp) 2022-11-26 13:47:10.065-0600 Additionally, this would NOT get fixed in Asterisk 16. Asterisk 16 is now security fix only. By: Ray Crumrine (proftech) 2022-11-27 03:09:40.695-0600 I thought this might have to be fixed in pjsip after I read the note on Github. Just thought it might save someone else grief. I have two endpoints so there are two certificate files to be read. There is a note in the sample pjsip.conf that says "PJProject version 2.4 or higher is required for this option to be used". It may be more convenient to use "ca_list_path" [would not be necessary to concatenate all of the certificates] so I set it to "ca_list_path=/usr/share/ca-certificates/mozilla/" which should work. Was forced to set "verify_server" to "no" because only the first file in the folder was used. . The 2nd certificate was not read so the second endpoint always came back "Not trusted" and the DIAL command failed. After concatenating the two certificates into a single file and changing the directive to "ca_list_file" it works fine. | ||