TLS Transport without certificate

Diego.Espinoza · March 6, 2024, 7:42pm

Dear Community,

I’ve been trying to connect to a SIP Registrar Platform through TLS Transport,
And one prequisite to connect to it was not to have a tls certificate

Asterisk (No cert) >>>>(TLS)>>>>>> Platform

I’m not sure if this is out of standard, but i haven’t been able to configure Asterisk that way,
Im only seeing messages like:

SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <167772353> <SSL routines-???-no shared cipher>

[transport_tls_nocert](transport)
protocol = tls
bind = 0.0.0.0:5063
method = tlsv1_2
;cert_file = /etc/asterisk/certs/
;priv_key_file = /etc/asterisk/certs/
;ca_list_file = /etc/asterisk/certs/
cipher = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256
external_signaling_port = 5063

I have tried commenting and uncommenting the cipher parameters.

Now, when i try to connect to this platform through MicroSIP i don’t have any problem with Handshake, but im not sure if the softphone itself has a certificate.

Any ideas will be greatly appreciated
Warm Regards

Pooh · March 6, 2024, 8:28pm

On Wednesday 06 March 2024 at 20:53:08, Diego.Espinoza via Asterisk Community
wrote:

Dear Community,

I’ve been trying to connect to a SIP Registrar Platform through TLS
Transport, And one prequisite to connect to it was not to have a tls
certificate

Asterisk (No cert) >>>>(TLS)>>>>>> Platform

I can’t even work out what that means.

Please point to any documentation, RFC, standard or configuration guidelines,
for any application whatsoever, which explains using TLS without certificates.

At best, someone might be able to help you; at worst, I’ll be enlightened.

Thanks,

Antony.

–
The truth is rarely pure, and never simple.

Oscar Wilde

                                            Please reply to the list;
                                                  please *don't* CC me.

david551 · March 7, 2024, 1:33am

It’s possible to do it without a certificate either by generating a transient certificate (which the other end cannot validate), or by using a key exchange algorithm that doesn’t use certificates. The latter do exist, but I’m not sure if they are still considered safe, and, for both, I don’t know to what extent OpenSSL supports them, as I think most people use a cookbook approach to it, so don’t consider these edge cases.

I haven’t had to research this in enough detail to say more than the above.

Of course, what the OP might really mean is without an external CA.

(I think Diffie Hellman is certificateless.)

The OP should note that the key role for a certificate is to prevent a man in the middle attack; it is for authentication, not encryption.

system · April 6, 2024, 1:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.