TLS client certificate

i already successfully converted to tls transport with encryption using this link below.
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

but as i understood things. i need to create a certificate for every client by its username, so i made a certificate for a client with username 333, then i used these same certificates for another user 777.

777 was able to register successfully and make an encrypted call as well. does this conflict with what was stated in the link above or not? should n’t i be creating a certificate for every user by its username? or i should only create one certificate for all users? i still did not get it.

What were these three options set to, assuming that you used the supported (pjsip) options from that tutorial:

1 Like

verify_client =yes
verify_server=yes
require_client_cert=yes
method=tlsv1

I’m not completely sure what the certificate name is verified against. It might only be the signature that is checked. Even in that case, you should still have separate ones for each phone, in case one of them gets compromised.

More importantly, though, is that TLS V 1 is now considered insecure, so you should not be using it. V 1.1 should be considered a last resort and V 1.2 is the minimum that should be used without a full risk assessment.

1 Like

The certificate name is not checked against anything currently.

1 Like

so what you are trying to say guys is that, you could have a certificate name that is different than the name of the user. but you recommend having a unique certificate for every user?

and thanks @david551 for your information concerning the method of the TLS, is sslv23 secure? just in case of usage in future. and as i understood, i should be using tlsv1.1 (or maybe tlsv1.2) instead of tlsv1? so is it tlsv1.1 or tlsv1.2?

TLS provides two things: Encryption and identity. They are separate.

If you have no client certificate the connection is still encrypted, but anyone can connect.

If you have a client certificate the connection is encrypted and you know that the client is using a certificate you gave them - giving some identity. If everyone has the SAME client certificate then if you want to stop them from connecting, you stop everyone. If everyone has a DIFFERENT client certificate then you can stop only that single client from being able to connect.

2 Likes

thanks man, that was extremely helpful.