Endpoint tls registration without certificate

i created certificates for server as well as for user 37100 following this tutorial:
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

i added the certificates for the user (linphone) it registers successfully but when i remove the certificate 37100.pem from /etc/asterisk/keys the endpoint could still register!!!
which is so weird.

here is my pjsip.conf

[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060

[transport-tls]
type=transport
protocol=tls
bind=192.168.133.99:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2
require_client_cert=yes
verify_client=yes
verify_server=yes

;template

endpoint-basic
type=endpoint
context=phones
disallow=all
allow=gsm,ulaw,alaw
direct_media=yes
dtmf_mode=rfc4733

auth-userpass
type=auth
auth_type=userpass

aor-single-reg
type=aor
max_contacts=1
remove_exisiting=no

;==========extension 37100

37100
transport=transport-tls
media_encryption=sdes
auth=auth37100
aors=37100

auth37100
password=123
username=37100

37100

The certificate for the specific endpoint in /etc/asterisk/keys is not used by Asterisk. The peer certificate is verified against the certificate authority.

i did not really understand it!!
then how does these certificates work! and why do we even create them?
is not certificates what makes tls very secure?

could you please explain what is the goal of having certificates in TLS?

thanks in advance

TLS serves two purposes: Security and identity. The connection can be encrypted, even without a client having a certificate. A client having a certificate fulfils the identity part - because you can verify that the certificate they give you is one that you issued them.

This isn’t special to SIP, but is the way TLS itself can/does work.

ok now i got it better.

concerning the identity part, i already created the certificates! i forced asterisk to verify client and i turned require client cert parameter into yes!

so i kind of understood that now asterisk must compare for every client the certificate that it has with the certificate that i created so it would assure the identity of this client! this is what i understood but it seems like it does not work this way.

so how does it work? or in another words: how can i verify the identity of the client based on the certificate that i created and gave to?

thanks in advance

That’s what the certificate authority is. It doesn’t compare against issued certificates on disk. It checks to see if the client certificate was issued by the certificate authority. This is the same way that HTTPS works.

oh then since this certificate was created by me then it would be approved!

is there a way to remove a certificate that i made!?
for example if i have this user but now i need it to stop registering but this user has the certificate!

is there a way to make the certificate that he has, worthless?

what m trying to do is as follows: creating a certificate for every user, so when i want to kick out one user i could just delete this certificate in some way. but since it is not being compared with what’s being created then this user could still register! i dont know if what m doing is standard (creating a certificate for every user, but if it works this way then it is beneficial to what m doing.)

big thanks for making things clear.

That’s a certificate revocation list, I don’t know how it’s done.

If someone does not do this certificate revocation list, then he could just create one certificate for all clients.
I will check on how it is done. if i reached a solution then i will update here or in a different post.

thanks @jcolp

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.