SIP TLS connects without any client certificate

Asterisk Asterisk SIP
1

Good day everyone

I am using Asterisk certified/13.21 and trying to configure TLS for SIP calls. I followed tutorial on official Asterisk Wiki (https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial), generated all the files by running /contrib/scripts/ ast_tls_cert. But my softphone (I use PhonerLite) connects to server without any client certificate. I dont think this is how it suppose to work. But I see this label in my softphone saying that I use tls as transport, and I can make calls.

Here’s related lines from my sip.conf:

[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/my/cert/path/asterisk.pem
tlscafile=/my/cert/path/ca.crt
tlscapth=/my/cert/path/
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=no

[template-sip](!)
transport=tls
type=peer

My actual peers inherit template-sip.

What am I might doing wrong here? Maybe anyone also had the same problem?

2

I think you would need to enable “tlsverifyclient” to enable the client certificate verification when they connect.

3

I dont even see “tlsverifyclient” in config sample for sip. I think this is only a pjsip thing, and unfortunately I can’t quickly migrate to pjsip. But I’ve tried your option anyway and got no result :frowning:

4

Why would a client need a certificate? It will always stay in the server. If public key is exchanged between the server and the client successfully, the communication will happen

I see all the setup is right here

5

I thought about that. But if so, why do we even need a client certificate?

6

It goes somewhat like this

  1. The client sends a request to identify the server
  2. The server sends a copy ssl certificate
  3. The client verifies if it trusts the certificate.
  4. The server sends digitally signed acknowledgement to start an encrypted session
  5. Encrypted session starts

Hence a client certificate/ key is required in the server

7

I think the option tlsdontverifyclient

If i try the tlsverifyclient
19:01:53] WARNING[10479]: chan_sip.c:32504 reload_config: Ignoring unsupported option ‘tlsverifyclient’