Asterisk outbound registration using client certificates

Hi,

I’m trying to use the outbound registration to register an Asterisk server to an other Asterisk server, both using Asterisk 16.15.1 with pjsip module. It is working fine (registration, calls) using an UDP transport but when I change the transport to TLS and I activate client certificates, I’m not able to connect the two instances. From the documentation, I can’t find any parameter for the client certificate path in the “registration”, “endpoint” or “transport” section. I tried to create a new transport with “cert-file” pointing to the client certificate file and use this transport for the outbound registration but I have an SSL error (ee key to small).

If I use pjsua command line application with the client certificate, I am able to properly register as the other “Asterisk endpoint”.

I am wondering if it is supported in Asterisk to do outbound registration using TLS and client certificates. If it is possible, what should I do to get this working ?

Thanks for the help.

Please copy and paste the text of error messages (including the whole line). There is an obvious spelling mistake that indicates you mis-keyed it.

A quick google shows that this means that your private key is not secure by modern standards. You need a longer key in the certificate.

For more information, see: [SOLVED] PJSIP TLS Cert Key 'Too Small' - #3 by Karish-ali

Hi david551,

For the certificate, it was generated using the “contrib/scripts/ast_tls_cert” script inside Asterisk git repository.

This is the error I have.

But this error is normal I think. I tried everything to be able to do an outbound registration with a client certificate but I found nowhere to set the client certificate path. As I said, I tried to create a transport by giving the client certificate path inside the “cert_file” transport parameter. Normally this should be the server certificate and as the client certificate does not have any key I wasn’t surprised by this error.

For reference, this is what I tried as a transport for the outbound registration that gave me the error above:

[tls_transport_client_certificate](!)
type=transport
protocol = tls
bind = 0.0.0.0:5061
method = tlsv1_2
cert_file = /etc/asterisk/keys/clientvoip.pem  // Note: Client certificate file
priv_key_file = /etc/asterisk/keys/asterisk.key
cipher = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256
ca_list_file = /etc/asterisk/keys/ca.crt
symmetric_transport = true
require_client_cert = yes
verify_client = yes

The client certificate is correct, I was able to connect properly register to the Asterisk server using the pjsua command line tool with the client certificate.

As I did not find anywhere to set the client certificate path for outbound registration . So, I was wondering:

  1. Is it possible for Asterisk to do an outbound registration (using pjsip, not chan_sip) to an Asterisk server that requires a client certificate ? I’m using Asterisk 16.15.1. There is no mention inside the documentation for client certificates (Configuring Outbound Registrations - Asterisk Project - Asterisk Project Wiki , Asterisk 16 Configuration_res_pjsip_outbound_registration - Asterisk Project - Asterisk Project Wiki)
  2. If it is possible, how should I configure the outbound registration?

Regards,

Did you use -b 2048, as described in the thread I referenced? The messages show that it did find the certificate files, but rejected their contents as not sufficiently secure. I believe you are continuing to pursue the wrong problem.

When I said cut and paste, I meant cut and paste as text, not as images; it isn’t possible to search images for text.

The certificate was generated with a 3072 bits RSA key. (using -b 3072)

$ openssl.exe x509 -in clientvoip.pem -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Validity
            Not Before: Jan  1 05:00:00 1960 GMT
            Not After : Nov 22 05:00:00 2096 GMT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (3072 bit)

I’m almost certain this is not the certificate. It is working fine using PJSUA command line soft phone (Manual of pjsua - Command Line SIP User Agent/Softphone)

I’m sorry, I don’t have access to the machine running the docker image until next Monday, I only have a screenshot on my laptop. I can later repost the error as text.

Regards,

I’d bee surprised if terminal emulator doesn’t allow you to copy text from the screen. However, I don’t think it is going to change things.

The facts remain that a certificate file is being found and its content rejected.

I’m confused by the expiry date, as the script seems to use a 365 day expiry, and this is hard coded. It looks to me as though there may be no expiry specified.

How long is the signing key?

Although I don’t know why it would cause the certificate to be rejected, the naming of this doesn’t look right. as I understand it, this should be the certificate that matches the private key file.

Client is often misused on this forum, but I suspect this is the certificate for the peer. That is verified by checking its certificate for a signature traceable to an entry in the ca list file, not by matching the exact certificate.

(Asterisk is the client and the peer the server, when Asterisk is starting an outbound call leg.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.