Re: [sipcore] Enabling the wildcard certificates for SIP TLS implementation
"Olle E. Johansson" <oej@edvina.net> Mon, 10 August 2020 15:03 UTC
Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C907D3A163E for <sipcore@ietfa.amsl.com>; Mon, 10 Aug 2020 08:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8x4M-VGFfzd7 for <sipcore@ietfa.amsl.com>; Mon, 10 Aug 2020 08:03:46 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D1C3A1529 for <sipcore@ietf.org>; Mon, 10 Aug 2020 08:03:44 -0700 (PDT)
Received: from macbook-pro.webway.org (h-205-16.A165.corp.bahnhof.se [176.10.205.16]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id B4CB12172; Mon, 10 Aug 2020 17:03:41 +0200 (CEST)
From: "Olle E. Johansson" <oej@edvina.net>
Message-Id: <AFF09E0F-3063-4C10-B6D8-221237A46FA8@edvina.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_39B5E9E2-BBDB-469D-B664-3A81D44FCC26"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Mon, 10 Aug 2020 17:03:41 +0200
In-Reply-To: <CAH_g9Rx5DcgOG1--GsUv86OJRu0Kf2MwA-p25gasVa=ex-R95A@mail.gmail.com>
Cc: Olle E Johansson <oej@edvina.net>, sipcore@ietf.org, Leonid Fainshtein <leonid.fainshtein@xorcom.com>
To: Simon MORLAT <simon.morlat@gmail.com>
References: <CAJr_9Tau8iW7idbJLNhhKX5MA5PDhZxR0vmdcfva6_fMMBfKCA@mail.gmail.com> <5BFABAC0-BCF4-4282-A457-F41BD3D142F2@edvina.net> <CAH_g9Rx5DcgOG1--GsUv86OJRu0Kf2MwA-p25gasVa=ex-R95A@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/Z-eCrqKIySX4VmQBV5wz81Nv9JE>
Subject: Re: [sipcore] Enabling the wildcard certificates for SIP TLS implementation
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 15:03:51 -0000
> On 10 Aug 2020, at 14:51, Simon MORLAT <simon.morlat@gmail.com> wrote: > > Hi everyone, > > This is my first post on an IETF mailing list, I hope I'll make it the right way :-). Welcome! > Just to give a few information about me, I'm the original author of Linphone, a free-software SIP softphone, and now co-owner and manager of Belledonne Communications, the company developing Linphone since 2010. > > Thanks to Leonid to raise this concern. I must say I always found RFC 5922 really strange with this prohibition of wildcard certificates, with no reason given. > Actually, if wildcard certificates are good for https as well as for many internet services, I would expect an argument that explains how SIP is different from all others and why as such, wildcard certificates are bad. > Fundamentally, I don't see why sip should be different from http on this aspect. > I must admit that in Linphone's SIP implementation we have finally decided, a couple of years ago, not to follow RFC5922 on this point. > Because SIP services can comprise multiple nodes and rely on SRV records (which http usually does not), it is very convenient to use wildcard certificates. At this time Letsencrypt wasn't existing yet. I agree that this limitation is now more easy to overcome. > Our decision was motivated by: > - the convenience of wildcard certificates for SIP services (with multiple SRV balanced hosts) > - the absence of any argumentation for this in RFC5922, which is something really odd compared to all RFCs and even drafts I could read. Could it be a mistake ? > > I hope too someone can give us a clear argument. Otherwise, could it be envisaged to publish some kind of errata or new RFC that changes this requirement ? > I found documentation in RFC 6125 from the “Using TLS in applications” working group. https://tools.ietf.org/html/rfc6125#section-7.2 <https://tools.ietf.org/html/rfc6125#section-7.2> Also note the documentation covering SIP in section B.9. While we may do as HTTPS with DNS Subject Alt Names, we can’t do that with the URI Subject Alt Names that we prefer to use in SIP, but doesn’t have widespread use. Changes are done by publishing a new RFC, not with Errata. That will open up a whole can of worms, but we need to open it and specify how SIP over TLS should work. Like the "transport=TLS” stuff and deprecating “SIPS:”. I have spoken about this a number of times. Some docs are to be found on slideshare.net/oej <http://slideshare.net/oej> Cheers, /O > Best regards, > > Simon > > > Le lun. 10 août 2020 à 10:03, Olle E. Johansson <oej@edvina.net <mailto:oej@edvina.net>> a écrit : > > >> On 6 Aug 2020, at 14:55, Leonid Fainshtein <leonid.fainshtein@xorcom.com <mailto:leonid.fainshtein@xorcom.com>> wrote: >> >> Hi, >> The "7.2. Comparing SIP Identities" of RFC-5922 prohibits the usage of wildcard certificates. >> The reasons for this limitation are not clear. The restriction only complicates the multi-home SIP servers configuration and maintenance. >> I suggest enabling the wildcard certificates for SIP. > > With wide-spread support for TLS SNI and free services like Letsencrypt I don’t really see a problem with not supporting wildcards. > > On the other side, I do agree that the argumentation for this limitation is missing. I remember there was a widespread discussion > over multiple working groups about problems with wildcards. Let’s see if we can dig up something from other RFCs or if someone > has a clear argument. > > /O > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org <mailto:sipcore@ietf.org> > https://www.ietf.org/mailman/listinfo/sipcore <https://www.ietf.org/mailman/listinfo/sipcore> > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore
- [sipcore] Enabling the wildcard certificates for … Leonid Fainshtein
- Re: [sipcore] Enabling the wildcard certificates … Olle E. Johansson
- Re: [sipcore] Enabling the wildcard certificates … Simon MORLAT
- Re: [sipcore] Enabling the wildcard certificates … Olle E. Johansson
- Re: [sipcore] Enabling the wildcard certificates … Roman Shpount
- Re: [sipcore] Enabling the wildcard certificates … Simon MORLAT
- Re: [sipcore] Enabling the wildcard certificates … Daniel-Constantin Mierla
- Re: [sipcore] Enabling the wildcard certificates … Olle E. Johansson