Join Log in
Score:0
Ondrej Raso avatar Server

How to create/verify client certificate on Asterisk? any way to verify "common name" field?

in flag
Ondrej Raso

Current configuration:

We have a PBX (Asterisk) on external IP to allow all SIP clients for registration/calling etc. Currently, only port 5061/tls is opened and client certificate is required. Pjsip.conf looks like this:

INSERT INTO `CONFIG_pjsip` (`id`, `cat_metric`, `var_metric`, `commented`, `filename`, 
`category`, `var_name`, `var_val`) VALUES
...
(13,1,0,0,'pjsip.conf','secur','type','transport'),
(14,1,1,0,'pjsip.conf','secur','bind','0.0.0.0:5061'),
(19,1,3,0,'pjsip.conf','secur','protocol','tls'),
(20,1,4,0,'pjsip.conf','secur','cert_file','/etc/asterisk/keys/dev200_pbx.crt'),
(21,1,5,0,'pjsip.conf','secur','priv_key_file','/etc/asterisk/keys/dev200_pbx.key'),
(22,1,6,0,'pjsip.conf','secur','ca_list_file','/etc/asterisk/keys/rootCA.crt'),
(23,1,7,0,'pjsip.conf','secur','require_client_cert','yes'),
(24,1,8,0,'pjsip.conf','secur','verify_client','yes'),
(25,1,9,0,'pjsip.conf','secur','verify_server','yes'),
(26,1,10,0,'pjsip.conf','secur','external_media_address','Our-ext-IP'),
(27,1,11,0,'pjsip.conf','secur','external_signaling_address','Our-ext-IP'),
(28,1,12,0,'pjsip.conf','secur','external_signaling_port','5061'),
(29,1,13,0,'pjsip.conf','secur','local_net','10.0.0.0/8'),
(30,1,14,0,'pjsip.conf','secur','method','sslv23');
...

We already create our CA and sign each certificates (for PBX and SIP client). Everything works well. TLS handshake is successful only if SIP client (Blink) have "our" certificate <- that is correct and expected behavior.

Problem

We would like to use UNIQUE certificate for EACH sip client. Any idea how we can do it? At first I thought to use "COMMON NAME" to check it. For example sip with ext. 101 can use COMMON NAME like "ourPBX-ext-13" or whatever, etc. my original idea was, that Asterisk check COMMON NAME field form client cert. And asterisk check it if SIP client 13 is really using that certificate which is allowed ONLY for SIP 13. For example, SIP 14 can not use the same certificate as SIP 13. Both SIP clients (13 and 14) are using "our" certificate, but each should be unique (not same).

Is it possible do it? Or can you show me any other solution which allow to keep unique cert. for each SIP client? I know that is possible to check certificate again IP (or hostname), but i can not use it. SIP client IP is "random", these peoples are usually working from home - so no chance to get their IP.

I am afraid, that if I create just one certificate for all SIP Clients then security will be very bad.

138
0 + 0
Ondrej Raso avatar
in flag
Ondrej Raso
like in the Bank, where every bank client has a unique client certificate. So i would like use same access.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.