Asterisk (version 18) Manager Interface TLS connection

Hi - I would like to make sure if it is possible to connect to AMI from a 3rd party app using TLS certificate only. That is, without using AMI user/password for authentication.

Thanks!

AMI has no such support.

So currently, the purpose of TLS option in AMI is just to encrypt the plain user/password credentials or commands on transit between client and Asterisk server - correct ?

Yes, the connection itself is TLS encrypted.

Asterisk only uses SSL/TLS to authenticate itself to the client, not the other way.

You can use challenge/response authentication to avoid sending a password in the clear (this choice is independent of whether the connection is SSL/TLS-encrypted or not). Documentation for this seems to be missing from the Asterisk Wiki; I found a description here.

Thanks for your input. I am using a C# client to communicate with Asterisk. In my case, problem with MD5 authentication is that Microsoft recommends using SHA256 or SHA512 instead of MD5 because of collision problems. I hope Asterisk provides an option for SHA256 as well sometime soon.

You could submit a feature request[1] if you wanted, but there is no guarantee or timeframe of such a thing being implemented.

[1] Issues · asterisk/asterisk-feature-requests · GitHub

1 Like

Added a feature request for SHA256 auth type in AMI challenge action. For reference - Request for SHA256 authentication type in AMI Challenge Action · Issue #52 · asterisk/asterisk-feature-requests · GitHub