I have been doing further work on Seaskirt, which I would like to be a comprehensive wrapper for every way of communicating with an Asterisk server process (other than making phone calls, of course). Now I am thinking where to add the option for TLS-encrypted connections.
Presumably ARI can benefit from this. What about AMI? I see that this version of the AMI-over-HTTP page says “AJAM” is deprecated (does that include the whole of AMI-over-HTTP?). Interestingly, another version (not Asterisk-version-specific) mentions no such thing. Can AMI-over-TCP use TLS?
Thanks for that. Note to self: the Asterisk source code offers better-documented example configs than the default ones installed by Debian.
By the way, it’s worth mentioning that, if you create your own CA for generating certs (which seems the most likely way to use this feature), then the command for testing a TLS connection would involve passing the CA cert for client-side verification of the server, something like
Also, are there any plans to offer an option for server-side verification of the client as well? That is, the client also passes a cert signed by some recognized CA (the cert for which is specified in the Asterisk config), as an alternative to username/password authentication.
OK, the bulk of the rework is done, with TLS now available as an option for both AMI and ARI connections. Of course more testing is needed. Next I should add the option to connect via TLS to some of the example scripts.
Something occurs to me: ARI requires a new HTTP connection for every request/response transaction. Adding TLS would obviously increase the overhead of doing this reconnect every time. The natural fix would be to move to WebSockets for request/response connections, as is already done for event-listener connections.
The built in basic HTTP server supports persistent connections if the client uses it for this specific reason. Noone is working on extending the Websocket support to do requests/responses as of this time.