I am trying to implement PKI authentication to an Asterisk system, using PJSIP over TLS.
- Every phone/device in my system has a certificate signed by my CA.
- Extensions are assigned according to info inside this certificate.
- Registration should only be accepted for valid clients.
When establishing a TLS session, can I extract information from the client certificate in the dialplan?
… how about an AGI script?
Is there a way to intercept registration events?
There is no ability to get any information from the TLS exchange, but the transport can be configured to verify against the certificate authority.
AMI does provide registration events but they do not contain transport information.
Does this verification agains a CA happen in Asterisk code? (Transport code?)
I guess that using a proxy that updates data in the realtime database is probably easier, but if this can be done using a custom transport code or an addon then it would be better for my case.
It happens in OpenSSL. We give it the certificates and turn on the flags, it does the rest.