Extracting information from client certificate (TLS)

Yotamz · September 25, 2018, 11:57am

Hi,

I am trying to implement PKI authentication to an Asterisk system, using PJSIP over TLS.

Scenario:

Every phone/device in my system has a certificate signed by my CA.
Extensions are assigned according to info inside this certificate.
Registration should only be accepted for valid clients.

Questions:
When establishing a TLS session, can I extract information from the client certificate in the dialplan?
… how about an AGI script?
Is there a way to intercept registration events?

Thanks.

jcolp · September 25, 2018, 1:34pm

There is no ability to get any information from the TLS exchange, but the transport can be configured to verify against the certificate authority.

AMI does provide registration events but they do not contain transport information.

Yotamz · September 25, 2018, 2:11pm

Does this verification agains a CA happen in Asterisk code? (Transport code?)

I guess that using a proxy that updates data in the realtime database is probably easier, but if this can be done using a custom transport code or an addon then it would be better for my case.

jcolp · September 25, 2018, 2:12pm

It happens in OpenSSL. We give it the certificates and turn on the flags, it does the rest.