Hi, i’m trying to test PJSIP TLS, i already set everything, but the point is that i can register without the need of the certificates by the client (crt and pem).
Below everything i have set up already:
Lets Encrypt and Self Signed certificates created in Certificate Management (both created because i tested using both, and none declined the register for not having a cert). LE set to default.
SIP Settings > Certificate Manager set to Lets Encrypt, SSL Method tlsv1_1, verify client and server yes.
In extension i set the media encryptation to SRTP and transport to TLS.
I’m using blink softphone configured to use tls only and SDES mandatory encriptation for media.
In this cenario, im able to register and do calls using TLS and SRTP without having a cert in softphone.
What i am doing wrong that my Asterisk does not validate the cert before accept the register?
AG Projects Blink does not even validate the server certificate. Therefore, are you sure your security models requires Mutual TLS Authentication? Asked differently: Why is normal authentication with username/password not sufficient in your case?
Furthermore, here, you are in the Digium Asterisk community. Sangoma FreePBX has its own community forums. You might get better, more specialized answers there. Did you ask there too?
I’m using Blink because in the Asterisk wiki about TLS, they use Blink softphone with certificate for do a 2 way authentication in FreePBX, so i thought it would work at the same way. https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
And yes, i posted in the FreePBX forum too, but not a single reply.
There are other step-by-step guides when it comes to SIP-over-TLS with SDES-sRTP … to make it short, a client certificate is not required. It is like with Web browsing here in Community Asterisk: You supply username and password and your are in. The connection is still secured because the server has shown his certificate. So, you are not doing anything wrong. If, and only if you need client certificates, you have to look deeper into that (not sure if chan_pjsip is able to force this; chan_sip dies not even support client certificates at all).