SIP TLS connects without any client certificate

achernykh · October 16, 2018, 3:37am

Good day everyone

I am using Asterisk certified/13.21 and trying to configure TLS for SIP calls. I followed tutorial on official Asterisk Wiki (https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial), generated all the files by running /contrib/scripts/ ast_tls_cert. But my softphone (I use PhonerLite) connects to server without any client certificate. I dont think this is how it suppose to work. But I see this label in my softphone saying that I use tls as transport, and I can make calls.

Here’s related lines from my sip.conf:

[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/my/cert/path/asterisk.pem
tlscafile=/my/cert/path/ca.crt
tlscapth=/my/cert/path/
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=no

[template-sip](!)
transport=tls
type=peer

My actual peers inherit template-sip.

What am I might doing wrong here? Maybe anyone also had the same problem?

jcolp · October 16, 2018, 10:58am

I think you would need to enable “tlsverifyclient” to enable the client certificate verification when they connect.

achernykh · October 17, 2018, 8:40am

I dont even see “tlsverifyclient” in config sample for sip. I think this is only a pjsip thing, and unfortunately I can’t quickly migrate to pjsip. But I’ve tried your option anyway and got no result

chilarai · October 20, 2018, 4:12am

Why would a client need a certificate? It will always stay in the server. If public key is exchanged between the server and the client successfully, the communication will happen

I see all the setup is right here

achernykh · October 22, 2018, 1:56am

I thought about that. But if so, why do we even need a client certificate?

chilarai · October 22, 2018, 10:36am

It goes somewhat like this

The client sends a request to identify the server
The server sends a copy ssl certificate
The client verifies if it trusts the certificate.
The server sends digitally signed acknowledgement to start an encrypted session
Encrypted session starts

Hence a client certificate/ key is required in the server

dsiemens · October 24, 2018, 7:02pm

I think the option tlsdontverifyclient

If i try the tlsverifyclient
19:01:53] WARNING[10479]: chan_sip.c:32504 reload_config: Ignoring unsupported option ‘tlsverifyclient’