Hi all
I’m trying to secure our Asterisk PBX (v11.13) using TLS and certificates
my goal is to provide a certificate to each extensions so only peers with good certificate can connect to our asterisk.
So i generated certificates using this webpage: community.polycom.com/t5/VoIP/FA … td-p/33018
And i put these params in our asterisk PBX:
Asterisk config:
vmexten=*97
faxdetect=yes
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
disallow=all
allow=ulaw
allow=gsm
allow=alaw
tlsenable=yes
transport=tls
tlsclientmethod=tlsv1
tlsbindaddr=0.0.0.0:5061
tlscertfile=/etc/asterisk/keys/192.168.1.254.pem
tlscipher=DES-CBC3-SHA
tlsdontverifyserver=no
language=fr
bindport=5050
jbenable=no
defaultexpiry=120
minexpiry=60
maxexpiry=3600
srvlookup=no
videosupport=no
allowguest=no
registerattempts=0
registertimeout=20
notifyringing=yes
g726nonstandard=no
t38pt_udptl=no
maxcallbitrate=384
canreinvite=no
rtptimeout=0
rtpholdtimeout=0
rtpkeepalive=0
checkmwi=10
notifyhold=yes
nat=yes
And my test extension:
[300]
deny=0.0.0.0/0.0.0.0
secret=azerty123
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=yes
callgroup=
pickupgroup=
dial=SIP/300
mailbox=300@device
permit=0.0.0.0/0.0.0.0
callerid=device <300>
callcounter=yes
faxdetect=no
transport=tls
(don’t worry about the weak password, it’s only to test the certificate. Futur peers will have strong password)
Now, peers can’t connect to our PBX without certificates.
but if i provide any certificate to a peer, the peer register to asterisk without any tears… So it’s not good: for exemple, the default certificate shipped with BLINK works! 
i saw an option “tlsverifyclient”, but if i put it to “1”, i have this error: chan_sip.c: Ignoring unsupported option ‘tlsverifyclient’
what am i missing?
Thank you for your help