Michael, Yes, in Bria, the Verify TLS Cert option only verifies the self-signed server CA cert. You email the server CA cert to the iOS device and install it in the System Profiles (simple), then with Verify TLS Cert enabled you will be certain you are connecting to your asterisk server, not a hijacked DNS with the intention to capture your SIP peer secret. Not likely, but possible in theory.
The purpose of client certificates is for Asterisk to essentially do the above, but in reverse, to verify that it is really your iOS device not a drive-by snooper. Unfortunately it seems this is not a commonly supported feature in mobile SIP clients, not to mention Asterisk. So it seems, at this time, SIP-TLS client certificate authentication is not something we can utilize. Lonnie On Nov 12, 2012, at 10:05 PM, Michael Knill wrote: > The Bria 3 for iPhone has an option under Settings > Advanced to Verify TLS > Cert. Also Groundwire came up and asked me whether I wanted to add an > exception for the non verified Asterisk certificate. Surely these will work > when certificate checking is enforced. > > Interestingly Counterpath uses reSIProcate in the Bria SIP stack. Surely it > would be compatible! > > http://www.counterpath.com/architecture.html > > Regards > Michael Knill > > > > > On 13/11/2012, at 9:21 AM, David Kerr wrote: > >> I can see no evidence of the Acrobits softphone using client certificates. >> Once I set up the Asterisk side it "just worked". Not being a security guy >> I don't know all the implications. >> >> I have not used Bria iOS app, though I have used the free version of their >> desktop app, X-lite. I have spent a few bucks on iOS SIP clients over the >> years and progressed to Acrobits earlier this summer... and it works so well >> that I've not found the need to try anything else. I do wish I had bought >> their Groundwire product though... it has more features than the base >> softphone. Unfortunately there is no upgrade path -- a consequence of >> needing to use the iTunes store as their distribution channel I think. I >> would pay $3 to upgrade, but not sure I want to pay $10 having already spent >> $7 on the base softphone. >> >> David >> >> >> On Mon, Nov 12, 2012 at 2:54 PM, Lonnie Abelbeck <[email protected]> >> wrote: >> David, >> >> Just curious, does your "Acrobits Softphone" iOS app support client >> certificates ? What do you like over Bria (iOS) ? >> >> Lonnie >> >> >> On Nov 12, 2012, at 1:35 PM, David Kerr wrote: >> >> > I agree that it is useful to have this support added to the web interface. >> > Thanks Lonnie. >> > >> > David >> > >> > >> > On Mon, Nov 12, 2012 at 2:19 PM, Lonnie Abelbeck >> > <[email protected]> wrote: >> > Hi Michael, >> > >> > It is not that Asterisk fails to handle SIP TLS certificates correctly, it >> > is just not completely implemented. >> > >> > Though this may be somewhat moot if many of the SIP clients don't support >> > client certs anyway. I'm using Bria (iOS) and unless it is hidden, I >> > don't see client cert support. >> > >> > I still think this is worth adding to the web interface, client >> > certificate generation can be easily added down the road if needed, >> > whatever the server/proxy is. >> > >> > Lonnie >> > >> > >> > On Nov 12, 2012, at 12:49 PM, Michael Keuter wrote: >> > >> > > So IMHO it is not very efficient to waste effort on the TLS certificate >> > > feature in Astlinux if Asterisk fails to handle it correct ATM. >> > > Would it instead be interesting to think about a SIP proxy like e.g >> > > Repro? >> > > (The additional requierements are not that big). >> > > >> > > Sent from my iPad >> > > >> > > Michael >> > > >> > > Am 12.11.2012 um 19:34 schrieb Lonnie Abelbeck >> > > <[email protected]>: >> > > >> > >> Clarification, regarding my earlier comment: >> > >> >> > >>> Edit: Ahhh, before sending this email, I confirmed that if the CA >> > >>> CommonName is set to pbx2.priv.abelbeck.com (not the IP 10.10.50.61) >> > >>> and then try to connect via 10.10.50.61 the TLS fails. I suppose that >> > >>> is a hurdle by setting the CommonName to a DNS name rather than an IP >> > >>> address. >> > >> >> > >> The 'Server Certificate' (not CA as stated) CommonName or >> > >> subjectAltName validity check is implemented on the client not the >> > >> server (asterisk), so this feature does not add a hurdle for the evil >> > >> doers. >> > >> >> > >> Lonnie >> > >> >> > >> > ------------------------------------------------------------------------------ >> > Monitor your physical, virtual and cloud infrastructure from a single >> > web console. Get in-depth insight into apps, servers, databases, vmware, >> > SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> > Pricing starts from $795 for 25 servers or applications! >> > http://p.sf.net/sfu/zoho_dev2dev_nov >> > _______________________________________________ >> > Astlinux-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/astlinux-users >> > >> > Donations to support AstLinux are graciously accepted via PayPal to >> > [email protected]. >> > >> > ------------------------------------------------------------------------------ >> > Monitor your physical, virtual and cloud infrastructure from a single >> > web console. Get in-depth insight into apps, servers, databases, vmware, >> > SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> > Pricing starts from $795 for 25 servers or applications! >> > http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ >> > Astlinux-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/astlinux-users >> > >> > Donations to support AstLinux are graciously accepted via PayPal to >> > [email protected]. >> >> >> ------------------------------------------------------------------------------ >> Monitor your physical, virtual and cloud infrastructure from a single >> web console. Get in-depth insight into apps, servers, databases, vmware, >> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> Pricing starts from $795 for 25 servers or applications! >> http://p.sf.net/sfu/zoho_dev2dev_nov >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. >> >> ------------------------------------------------------------------------------ >> Monitor your physical, virtual and cloud infrastructure from a single >> web console. Get in-depth insight into apps, servers, databases, vmware, >> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> Pricing starts from $795 for 25 servers or applications! >> http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
