Sorry yes that makes sense.I thought I didn't know what I was talking about (again)!
Regards Michael Knill On 13/11/2012, at 3:39 PM, Lonnie Abelbeck wrote: > Michael, > > Yes, in Bria, the Verify TLS Cert option only verifies the self-signed server > CA cert. You email the server CA cert to the iOS device and install it in > the System Profiles (simple), then with Verify TLS Cert enabled you will be > certain you are connecting to your asterisk server, not a hijacked DNS with > the intention to capture your SIP peer secret. Not likely, but possible in > theory. > > The purpose of client certificates is for Asterisk to essentially do the > above, but in reverse, to verify that it is really your iOS device not a > drive-by snooper. Unfortunately it seems this is not a commonly supported > feature in mobile SIP clients, not to mention Asterisk. > > So it seems, at this time, SIP-TLS client certificate authentication is not > something we can utilize. > > Lonnie > > > On Nov 12, 2012, at 10:05 PM, Michael Knill wrote: > >> The Bria 3 for iPhone has an option under Settings > Advanced to Verify TLS >> Cert. Also Groundwire came up and asked me whether I wanted to add an >> exception for the non verified Asterisk certificate. Surely these will work >> when certificate checking is enforced. >> >> Interestingly Counterpath uses reSIProcate in the Bria SIP stack. Surely it >> would be compatible! >> >> http://www.counterpath.com/architecture.html >> >> Regards >> Michael Knill >> >> >> >> >> On 13/11/2012, at 9:21 AM, David Kerr wrote: >> >>> I can see no evidence of the Acrobits softphone using client certificates. >>> Once I set up the Asterisk side it "just worked". Not being a security guy >>> I don't know all the implications. >>> >>> I have not used Bria iOS app, though I have used the free version of their >>> desktop app, X-lite. I have spent a few bucks on iOS SIP clients over the >>> years and progressed to Acrobits earlier this summer... and it works so >>> well that I've not found the need to try anything else. I do wish I had >>> bought their Groundwire product though... it has more features than the >>> base softphone. Unfortunately there is no upgrade path -- a consequence of >>> needing to use the iTunes store as their distribution channel I think. I >>> would pay $3 to upgrade, but not sure I want to pay $10 having already >>> spent $7 on the base softphone. >>> >>> David >>> >>> >>> On Mon, Nov 12, 2012 at 2:54 PM, Lonnie Abelbeck >>> <[email protected]> wrote: >>> David, >>> >>> Just curious, does your "Acrobits Softphone" iOS app support client >>> certificates ? What do you like over Bria (iOS) ? >>> >>> Lonnie >>> >>> >>> On Nov 12, 2012, at 1:35 PM, David Kerr wrote: >>> >>>> I agree that it is useful to have this support added to the web interface. >>>> Thanks Lonnie. >>>> >>>> David >>>> >>>> >>>> On Mon, Nov 12, 2012 at 2:19 PM, Lonnie Abelbeck >>>> <[email protected]> wrote: >>>> Hi Michael, >>>> >>>> It is not that Asterisk fails to handle SIP TLS certificates correctly, it >>>> is just not completely implemented. >>>> >>>> Though this may be somewhat moot if many of the SIP clients don't support >>>> client certs anyway. I'm using Bria (iOS) and unless it is hidden, I >>>> don't see client cert support. >>>> >>>> I still think this is worth adding to the web interface, client >>>> certificate generation can be easily added down the road if needed, >>>> whatever the server/proxy is. >>>> >>>> Lonnie >>>> >>>> >>>> On Nov 12, 2012, at 12:49 PM, Michael Keuter wrote: >>>> >>>>> So IMHO it is not very efficient to waste effort on the TLS certificate >>>>> feature in Astlinux if Asterisk fails to handle it correct ATM. >>>>> Would it instead be interesting to think about a SIP proxy like e.g Repro? >>>>> (The additional requierements are not that big). >>>>> >>>>> Sent from my iPad >>>>> >>>>> Michael >>>>> >>>>> Am 12.11.2012 um 19:34 schrieb Lonnie Abelbeck >>>>> <[email protected]>: >>>>> >>>>>> Clarification, regarding my earlier comment: >>>>>> >>>>>>> Edit: Ahhh, before sending this email, I confirmed that if the CA >>>>>>> CommonName is set to pbx2.priv.abelbeck.com (not the IP 10.10.50.61) >>>>>>> and then try to connect via 10.10.50.61 the TLS fails. I suppose that >>>>>>> is a hurdle by setting the CommonName to a DNS name rather than an IP >>>>>>> address. >>>>>> >>>>>> The 'Server Certificate' (not CA as stated) CommonName or subjectAltName >>>>>> validity check is implemented on the client not the server (asterisk), >>>>>> so this feature does not add a hurdle for the evil doers. >>>>>> >>>>>> Lonnie >>>>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Monitor your physical, virtual and cloud infrastructure from a single >>>> web console. Get in-depth insight into apps, servers, databases, vmware, >>>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>>> Pricing starts from $795 for 25 servers or applications! >>>> http://p.sf.net/sfu/zoho_dev2dev_nov >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> [email protected]. >>>> >>>> ------------------------------------------------------------------------------ >>>> Monitor your physical, virtual and cloud infrastructure from a single >>>> web console. Get in-depth insight into apps, servers, databases, vmware, >>>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>>> Pricing starts from $795 for 25 servers or applications! >>>> http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ >>>> Astlinux-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> [email protected]. >>> >>> >>> ------------------------------------------------------------------------------ >>> Monitor your physical, virtual and cloud infrastructure from a single >>> web console. Get in-depth insight into apps, servers, databases, vmware, >>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>> Pricing starts from $795 for 25 servers or applications! >>> http://p.sf.net/sfu/zoho_dev2dev_nov >>> _______________________________________________ >>> Astlinux-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> [email protected]. >>> >>> ------------------------------------------------------------------------------ >>> Monitor your physical, virtual and cloud infrastructure from a single >>> web console. Get in-depth insight into apps, servers, databases, vmware, >>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>> Pricing starts from $795 for 25 servers or applications! >>> http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ >>> Astlinux-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> [email protected]. >> >> ------------------------------------------------------------------------------ >> Monitor your physical, virtual and cloud infrastructure from a single >> web console. Get in-depth insight into apps, servers, databases, vmware, >> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> Pricing starts from $795 for 25 servers or applications! >> http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. > > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
