In order to securely connect to our provider's SIP Trunk (twilio) we
have to enable the verify_server=no option. This works but we get this
in the logs:
[Feb 19 14:17:11] ERROR[25337]: pjproject:0 <?>:
tlsc0x7f3b0c02 RFC 5922 (section 7.2) does not allow TLS wildcard
certificates. Advise your SIP provider, please!
Our provider has apparently already been advised because they mention
this in their guide:
Note, you will see the following entries in your log file and the
Asterisk CLI. Twilio uses wild
card certificates. Even though this log entry appears, it will not
impact call processing if verify
server is set to no.
ERROR[3857]: pjproject:0 <?>:
tlsc0x7f5b6033cd38 RFC 5922 (section 7.2) does not
allow TLS wildcard certificates. Advise your SIP provider, please!
In order to securely connect to our provider's SIP Trunk (twilio) we
have to enable the `verify_server=no` option. This works but we get this
in the logs:
[Feb 19 14:17:11] ERROR[25337]: pjproject:0 <?>:
tlsc0x7f3b0c02 RFC 5922 (section 7.2) does not allow TLS wildcard
certificates. Advise your SIP provider, please!
Our provider has apparently already been advised because they mention
this in their guide:
> Note, you will see the following entries in your log file and the
Asterisk CLI. Twilio uses wild
> card certificates. Even though this log entry appears, it will not
impact call processing if verify
> server is set to no.
>
> ERROR[3857]: pjproject:0 <?>:
> tlsc0x7f5b6033cd38 RFC 5922 (section 7.2) does not
> allow TLS wildcard certificates. Advise your SIP provider, please!
So we do not expect to change their wildcard policy any time soon.
Is there any chance to consider adding an `allow_wildcard_certs=yes`
option in the pjsip configuration?
This should be preferred security-wise than blindly trusting certificates.
References
---------------
*
https://trac.pjsip.org/repos/changeset/4882/pjproject/trunk/pjsip/src/pjsip
*
https://www.twilio.com/docs/documents/61/TwilioElasticSIPTrunking-AsteriskPBX-Configuration-Guide-Version2-1-FINAL-09012018.pdf
