Multiple TLS Transports in pjsip.conf

Diego.Espinoza · March 4, 2024, 7:24pm

Dear Community,
Hope who reads this is fine, about this topic,

I’ve been struggling trying to communicate my asterisk service (18.9-cert5) with A and B legs,
Currently A leg requires a CA validated certificate
and B leg requires any certificate that contains Asterisk Public IP Address in it (CN or SAN parameter).

I have a wildcard ssl certificate from LeaderSSL, but once i reached support i’ve been told that i can’t reissue a wildcard certificate with an IP address as value for the SAN parameter (Subject Alternative Name)
And im not sure if there are CA’s that actually provide such thing.

I’ve tried with LetsEncrypt free certificates and they do not allow IP addreses as CN or SAN parameters, only DNS, so i haven’t been able to create an actual LEncrypt certificate.

Im running out of options, and im not sure what else could i try, so, i was wondering if i can have two tls transports with my LeaderSSL certificate and a self-signed certificate with Asterisk IP address.
Currently, i’ve tried this option, and for some reason SIP BYE is not received from B Leg when the call is Hangup over there.
I’ve noticed that when im using a single transport and certificate, SIP BYE is being received from B Leg, but i cannot receive traffic from A leg due CA validity.

Any questions or suggestions please let me know
Warm Regards

Pooh · March 4, 2024, 7:45pm

On Monday 04 March 2024 at 20:35:10, Diego.Espinoza via Asterisk Community
wrote:

A leg requires a CA validated certificate

B leg requires any certificate that contains Asterisk Public IP
Address in it (CN or SAN parameter).

I have a wildcard ssl certificate from LeaderSSL, but once i reached
support i’ve been told that i can’t reissue a wildcard certificate with an
IP address as value for the SAN parameter (Subject Alternative Name)

I’m not sure if there are CA’s that actually provide such thing.

Well, at least this organisation claims that some do:

Disclaimer: I know nothing at all about Sectigo and merely found this page
using a Google search.

Antony.

–
“I find the whole business of religion profoundly interesting. But it does
mystify me that otherwise intelligent people take it seriously.”

Douglas Adams

                                            Please reply to the list;
                                                  please *don't* CC me.

Diego.Espinoza · March 6, 2024, 1:49pm

Hi there Community,

I would like to share a solution that i found after many hours of research and testing,

In asterisk its feasible to have multiple TLS Transports with different certificates,
But, you need to keep in mind that the bind port and external_signalling_port should be the same to avoid SIP headers discrepancy and external legs to send traffic to another ports.

bind = IP:PORT
external_signaling_port = PORT

Hope its useful for who reads this
Warm Regards

system · April 5, 2024, 1:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.