Summary:ASTERISK-19268: Need to specify TLS peer verification policy per-peer
Reporter:Daniel Pocock (daniel.pocock)Labels:
Date Opened:2012-01-29 15:22:49.000-0600Date Closed:2012-01-30 16:51:19.000-0600
Versions: Frequency of
Description:For inter-domain routing of SIP messages, it is recommended that each proxy/PBX does full TLS verification

Here is the RFC on the subject, it provides very useful background about this bug:


Example: Asterisk receives a SIP connection from Kamailio:
- Asterisk should demand a client certificate from Kamailio
- Kamailio will present it's server certificate as a client certificate
- Asterisk should verify that the cert is signed by a trusted CA
- Asterisk should perform verification of the CN and/or subjectAltName/dNSName entries against each message that comes in

However, the same Asterisk server, when receiving a TLS connection from a trusted peer (authentication by shared secret) does not need to demand a certificate - in this case, certificate exchange is unidirection (just like the typical scenario where you connect to a HTTPS web server)

To facilitate this, Asterisk probably needs a new parameter:


that can be specified in the [general] section and the individual [peer] sections of sip.conf, e.g.

# demand a client certificate/two way certificate exchange from unknown peers

# user connects with TLS, but with no client cert
# he uses a password

Comments:By: Matt Jordan (mjordan) 2012-01-30 16:51:10.982-0600

Features requests are no longer submitted to or accepted through the issue tracker. Features requests are openly discussed on the mailing lists [1] and Asterisk IRC channels and made note of by Bug Marshals.

[1] http://www.asterisk.org/support/mailing-lists

By: Daniel Pocock (daniel.pocock) 2012-01-30 18:16:44.743-0600

It is probably somewhere in between bug-report and
feature-request: it is stuff that is mandatory for Asterisk to comply
with the SIP standard with respect to TLS:


26.3.1 Requirements for Implementers of SIP

  "Proxy servers, redirect servers, and registrars MUST implement TLS,
  and MUST support both mutual and one-way authentication."

However, it is not something that causes Asterisk to crash, so it is not an outright bug.  It is a mandatory part of the SIP standard that is not implemented, so it is not just a wish-list item or user preference.

By: Tzafrir Cohen (tzafrir) 2017-12-25 08:24:56.399-0600

Doing some hose-keeping and this issue is referred by an old Debian bug. I believe that this issue is at least mostly fixed by chan_pjsip, as there is a per-endpoint configuration of verification.