VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
mvakondios at gmail.com
Guest
|
 Posted: Tue Mar 29, 2016 9:33 am Post subject: [asterisk-users] Client TLS certificates for auth ? |
 |
|
This would be very interesting, as we could register SIP devices securely over the internet without the need for VPN. Asterisk of course must accept only trusted client certificates the same way an OpenVPN server does.
Anyone operating his/her remote endpoints like this?
Anyone advising against this solution?
On 29 March 2016 at 04:51, Kevin Long <kevin.long@haloprivacy.com (kevin.long@haloprivacy.com)> wrote:
| Quote: |
I use TLS and SRTP on my Asterisk servers. The server certificates are signed by my internal CA, and the Root CA cert is distributed to the phones and soft phones so they will trust the server without warning.
It is not clear to me if Asterisk can be configured to actually reject client connections/registrations from peers which do not possess a client certificate which has been signed by a particular CA ?
If so, could it be such that the common name in the client certificate would need to match the username or Asterisk “extension” ?
I’m wondering if this can be done , to have a second factor of authentication besides the SIP secret , since in my current setup, despite using a TLS/SSL cert for the server, the server only verifies the client by the SIP secret.
Regards,
Kevin Long
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
 |
satskiy.a at gmail.com
Guest
|
| Posted: Tue Mar 29, 2016 11:42 am Post subject: [asterisk-users] Client TLS certificates for auth ? |
|
|
But what is the problem even if somehow your password will be stolen hacker can't make a call because he needs certificate.of course if U setup ext to use TLS only On Mar 29, 2016 5:32 PM, "Markos Vakondios" <mvakondios@gmail.com (mvakondios@gmail.com)> wrote: | Quote: | This would be very interesting, as we could register SIP devices securely over the internet without the need for VPN. Asterisk of course must accept only trusted client certificates the same way an OpenVPN server does.
Anyone operating his/her remote endpoints like this?
Anyone advising against this solution?
On 29 March 2016 at 04:51, Kevin Long <kevin.long@haloprivacy.com (kevin.long@haloprivacy.com)> wrote:
| Quote: |
I use TLS and SRTP on my Asterisk servers. The server certificates are signed by my internal CA, and the Root CA cert is distributed to the phones and soft phones so they will trust the server without warning.
It is not clear to me if Asterisk can be configured to actually reject client connections/registrations from peers which do not possess a client certificate which has been signed by a particular CA ?
If so, could it be such that the common name in the client certificate would need to match the username or Asterisk “extension” ?
I’m wondering if this can be done , to have a second factor of authentication besides the SIP secret , since in my current setup, despite using a TLS/SSL cert for the server, the server only verifies the client by the SIP secret.
Regards,
Kevin Long
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
