SIP Over TLS connects without any client certificate

Hai Everyone,

I have an asterisk server installed with Version 16X on Centos 7X.

Presently I have configured the SIP over the TLS method as per the asterisk link Secure Calling Tutorial - Asterisk Project - Asterisk Project Wiki
I have generated the Server and client key as per the documents.

Below is my SIP configuration

tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt

And am using my sip peers with TLS and reception method same as the docuement.

[malcolm]
type=peer
secret=somepasword ;note that this is NOT a secure password
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
encryption=yes
context=local

But my softphone (I use Blink and Zoiper, Counterpath) connects to the server without any client certificate. I dont think this is how it suppose to work. But I see this label in my softphone saying that I use tls as transport, and I can make calls.

I dont even see “tlsverifyclient” in the config sample for a sip. I think this is only a pjsip thing, and unfortunately, I can’t quickly migrate to pjsip.

Is this the right way of SIP Over TLS work ? Or is there an option which am missing ?

why do we even need a client certificate if that is able to register without client certificate?

A client certificate is not required. It acts as a further identity such that only those who have been issued certificates are able to connect. Without a client certificate anyone can connect, but the connection is still encrypted.

1 Like

Thanks for the reply.

But in this case, then do we really need to generate the Client certificate if we are no using it?

Also Is there any option where we can limit the based on the specific client certificate only ?

For example _ I have generated client.pem and clients file - The softphone needs to use those client certificates and then only it will get registered ,

If you aren’t using a client certificate, then it’s not necessary. I don’t remember chan_sip stuff regarding verification and such.

Am using client certificate for soft phone but the soft phone is also able to register without client certificate which i have generated,

As you said it not mandatory to use Client certificate which we have generated.

Is there any option where we can make the SIP to accept the connections only from the client certificate which we have generated,

I have tried mutiple option but i havn’t find osmething for chan_sip still.

As I stated, I don’t recall chan_sip stuff. My initial comment and the follow up was in a general TLS sense.

@jcolp - Thanks for the valuable comments.

Do you have any suggestion to secure the UDP ?

There is no support for encrypting UDP in Asterisk, any encryption would have to happen externally through something like a VPN.