Hi, the documentation of TLS module says:
--------------------------------------- 1.7. Known Limitations
The TLS certificate verifications ignores the certificate name, subject altname and ip extensions, it just checks if the certificate is signed by a recognized CA. One can use the select framework to try to overcome this limitation (check in the script for the contents of various certificate fields), but this is not only slow, but also not exactly standard conforming (the verification should happen during TLS connection establishment and not after). -----------------------------------------
The last pharse "the verification should happen during TLS connection establishment and not after" is incorrect. It's true that the SIP node receiving a TLS certificate should first verify that the certificate is signed by a recognized CA and it's not expired. This is the first step and must occur when establishing the TLS session. IF not, drop the connection.
But in case a proxy/server receives a TLS connection and wants to authenticate SIP requests based on the certificate, it must extract the SIP domain identities in the certificate by inspecting each value in the subjectAltName field with type "domain". And for each SIP request coming within this TLS connection, the proxy/server could check whether the From domain matches a SIP domain present in the certificate, so the request gets automatically authenticated (no need of requiring SIP authenticationn neither checking the source IP against a list of trusted IPs).
In order to implement it, I suggest the following behaviour in sip-router:
- A client establishes a TLS session with sip-router. - The client presents a TLS certificate. - sip-router extracts the SIP identities of the certificate and stores them, somehow, in attributes belonging to this TLS session (maybe pseudovariables). - In the logic script, it would be possible then to match the From domain of the request (or whatever) against the list of SIP identities in the certificate (so authentication is done).
This is important in order to allow real SIP federation (as already occurs in XMPP world). We all know that SIP federation is not used yet, but it should in a future.
Regards.