Secure Calling Tutorial (TLS SRTP)

One thing is unclear to me, and I believe it’s worth an additional line.
If the client is a mobile device (e.g. an iPhone running Bria hooked up to a mobile network or a wlan) how can anyone generate a certificate? The -C option requires an IP or a DNS name, but in the case I outlined above the IP is STRONGLY dynamic and the DNS doesn’t exist…
Must I assume that TLS is available only for on-lan, static clients? Or there is something I don’t know?

TLS is only available in SIP in general if the server at the time of connection has a well known SIP URI (which may be a domain name) as well as an IP address. I guess one could get round that for a dynamic case by having the TCP connection stay up after the registration, but I don’t know if Asterisk or common SIP phones support that.

It would also require one sided authentication, and I don’t know if Asterisk supports that.

Otherwise you need to take this up with IANA, as the need to have a known SIP URI at the time that the certificate for the UAS is created is a SIP requirement, not just an Asterisk one.