AMI using TLS?

Nov 11, 2013 at 6:03 PM
I have been using the Manager library for a while now and would like to secure my connection.
I can do this in SIP but I do not see any knobs to set TLS on in AsterNet.

Is it possible to connect TLS only?


Nov 11, 2013 at 6:50 PM
Hi Bill,

There's nothing built into the AMI protocol to support encryption. The only way to do this would be to run a proxy of some sort. If you find a nice solution, please let us know! :)

Nov 12, 2013 at 1:20 AM
Then why is it discussed so much?
Asterisk's manager.conf has the following fields.

tlsenable yes Enables listening for AMI connections using TLS. The default is no. It is highly recommended to only expose connectivity via TLS outside of the local machine.[b]
tlsbindport 5039 Sets the port to listen on for TLS connections to the AMI. The default is 5039.
tlsbindaddr Sets the address to listen on for TLS-based AMI connections. The default is to listen on all addresses (
tlscertfile /var/lib/asterisk/keys/asterisk.pem Sets the path to the server certificate for TLS. This is required if tlsenable is set to yes.
tlsprivatekey /var/lib/asterisk/keys/private.pem Sets the path to the private key for TLS. If this is not specified, the tlscertfile will be checked to see if it also contains the private key.
tlscipher <cipher string> Specifies a list of ciphers for OpenSSL to use. Setting this is optional. To see a list of available ciphers, run openssl ciphers -v at the command line.

Nov 12, 2013 at 9:58 AM
Bill, my apologies, it's not something I've used myself during development of AsterNET or prior, so was unaware of it.

However, that said, we don't currently support TLS in AsterNET for AMI. However, if you would like to implement it and share your implementation with is, I'd be very happy to review and add it in to AsterNET.

You would i suspect need to create overloaded versions of ManagerConnection and ManagerReader.

We're looking at moving AsterNET to a git repo on Codeplex to allow easier community contribution.
Nov 14, 2013 at 10:46 AM
No problem, There is so much stuff in Asterisk it is hard to know it all!

I will be going down this path and if it makes sense to extend AsterNet then I will do so and let you know.