hello guys,
been working on TLS recently and all looking good.
i was using ast_tls_cert script file to generate ca certificate and server certificates of the same ca and a client certificate.
for fxo gateways and other asterisk servers i always create server certificates because from TLS pov a server certificate is not only dedicated for asterisk server.
but i only generated one client certificate for all ip phones.
recently, i got an FXS gateway so i supposed it needs a client certificate just like other ip phones. but while trying to process a call.
i saw this:
The server identity does not match to any identities specified in the certificate.
and this only pops when a server certificate is needed.
but i am a little confused. since i used to think that sip endpoints only need client certificate! and only sip trunks need server certificates.
so could anyone explain?
thanks in advance
SIP is symmetric, and, except in popular ācultureā, server and client relate to a particular call. āTrunkā is also not a term used by SIP.
The only way in which the āserverā and āclientā certificates created by those scripts differ is in the subject name.
Generating one certificate for all the phones means that you are out of luck if any one of those phones is compromised. You will have to take the system down until you have provided new secret keys and certificates to all the phones.
In practice, it is difficult to make proper use of certificates on phones, as they tend to have dynamic addresses, so one would normally disable checking the identity of phones.
My guess is that you have not disabled the identity check for the gateway, possibly because you think of it as a ātrunkā.
1 Like
well if you mean that i have to disable validate server certificate from gateway configuration. then it is already unchecked.
but if you mean from pjsip conf i should disable check identity of the fxs gateway then i dont really know how to do it.
since the endpoints of the fxs gateway are endpoints defined just like i define endpoints of an ip phone. it is not different at all.
One of the things that is confusing me is where the message is being generated.
If it is on the gateway, it is probably trying to pick the right certificate to present, but there is actually little point in its having a certificate at all. Will it work without one, but still force the use of TLS?
Only one side needs a certificate for successful session key negotiation (actually I donāt think one even needs that, but some software may not support that option). If that werenāt the case, most web users would be in trouble as very few add certificates to their browers, to identify the browser. You are only weakly using the certificate for authentication - you are only authenticating that it was signed by your VoIP CA private key, not that it is the specific device it claims to be.
1 Like
no this message is shown at asterisk logging.
the message is saying:
res_pjsip/pjsip_transport_events.c:160 verify_log_result: Transport āx.x.x.x-tlsā to remote ā1.2.3.4ā - The server identity does not match to any identities specified in the certificate
this is related to server verification in asterisk. but should not fxs users act just like any ip phone users? since ip phone users never needed a server cert.
They should also act just like a provider; there is no difference as far as SIP is concerned. Any difference will be in how the endpoint is configured.
Are you sure that the endpoint is being identified correctly, and you are not seeing fallback behaviour, for anonymous endpoints?
Which is the TLS client depends on which is the SIP client user agent, which depends on which side is issuing a request, which, initially, depends on which side is originating the call.
1 Like
well yes i noticed that this case is only happening when m trying to reach the fxs users from ip phone users.
but both users are identified the same and yes correctly.
i do know that when asterisk makes the request then it will act as a client (TLS POV).
but how comes when m making a call from fxs to ip phone then it never asks for a server certificate?
this is where the confusion is coming honestly. and m trying hard to understand.
i know i could just generate a server certificate from my ca. and this would solve my problem but i need to know what is going on.
The only difference between client and server mode is that the server mode defaults the subject common name to be the host name of the system on which the script is running. and client mode defaults it to āasteriskā. You are not going to fix a name mismatch by giving the ATA a certificate that says it has the name of the PABX; you need the name of the ATA.
well actually creating a server certificate resolved this issue since maybe then now it is related to the ip address.
but why did asterisk server ask for a server certificate.
It wouldnāt. The other party would have volunteered one. The real question is why it checked it.
1 Like
hello @david551 it appears like the server is sending a hello server message to the FXS gateway. which in turn would be the server in this scenario and thus it should have a server certificate. the fxs gateway is replying with the client certificate then the asterisk is saying that it does not identify this certificate as one of the server certificates.
As Iāve already said, certificates are not client or server. The Asterisk CA script uses the terms to indicate the default value of the common name in the certificate, and if you donāt explicitly set the common name, for a peer, to the correct value, and you enable checking the certificate name, it will get faulted.
1 Like
actually m not understanding it. and yes somehow there is a difference between client and server certificate maybe since server certificate needs to be specified to an IP. but m not sure but anyway ā¦ here is my experiment:
in case of ip phones the same client certificate does not get faulted! at all!
and the asterisk server never sends a āhello serverā message to these endpoints! the ip phones are always treated as a client (TLS POV).
only in case of fxs gateway a " hello serverā message is sent from asterisk when m trying to call from ip phone to the fxs endpoint and to be precise this does not happen always but mostly! but when an fxs enpoint originate a call to the ip phone then it always works.