Hi,

Minisip (and any other phone that fully supports tls) can do both.
Use TLS as the transport layer, authenticate the server cert against the locally trusted root certs, and if given a client cert, it will send it to the server for client authentication (that is, to openser). All this during the tls handshake.

Now, once tls is established, it is up to the proxy whether it challenges the client for digest authentication. That is, it is up to you. If you set a proxy so that it only accepts tls connections, use mutual tls auth for client and server ... you may choose not to challenge with digest on top of that. But, as it is of now in ser/openser ... i would still challenge, as tls is loosely coupled with the subscribers data you have in your database.

Hope it helps,

Cesc

On 10/14/05, Girish Nayak <girish@isphone.net> wrote:
i understand, minisip softphone can initiate TLS connection.
and it can be authenticated by the openser via digest authentication.

is it possible to use certificate instead of digest authentication?
--
Girish


On Fri, 2005-10-14 at 08:28 +0000, users-request@openser.org wrote:
> Send Users mailing list submissions to
>       users@openser.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>       http://openser.org/cgi-bin/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>       users-request@openser.org
>
> You can reach the person managing the list at
>       users-owner@openser.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Re: [Serusers] trusting peers (Juha Heinanen)
>    2. Re: different tables for acc (Klaus Darilion)
>    3. Re: Improving TLS implementation (Cesc)
>    4. Re: Improving TLS implementation (Juha Heinanen)
>    5. Softphones compatible with Openser/TLS (Joonbum Byun)
>    6. Re: Softphones compatible with Openser/TLS (Klaus Darilion)
>    7. Re: Softphones compatible with Openser/TLS (Cesc)
>    8. Re: BYE method accompanied by error (Daniel-Constantin Mierla)
>    9. Re: How to do RADIUS authentication with hashed password        (MD5
>       or HA1)? (Bogdan-Andrei Iancu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Oct 2005 13:55:37 +0300
> From: Juha Heinanen <jh@tutpro.com>
> Subject: Re: [Users] Re: [Serusers] trusting peers
> To: Klaus Darilion < klaus.mailinglists@pernau.at>
> Cc: Nils Ohlmeier <lists@ohlmeier.org>, serusers@iptel.org,   Jan Janak
>       < jan@iptel.org>, "users openser.org" <users@openser.org>
> Message-ID: < 17230.15657.441146.200770@rautu.tutpro.com>
> Content-Type: text/plain; charset=us-ascii
>
> Klaus Darilion writes:
>
>  > e.g. simmilar to allow_trusted, but using the domain form the
>  > certificate instead of using src_ip.
>
> yes, it would be easy to add such a check to permissions module.
>
> -- juha
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 13 Oct 2005 14:30:46 +0200
> From: Klaus Darilion <klaus.mailinglists@pernau.at>
> Subject: Re: [Users] different tables for acc
> To: jayesh nambiar <jayesh_1017@yahoo.com>
> Cc: SER <users@openser.org>
> Message-ID: < 434E5376.2000902@pernau.at>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> No. Only one table for all costumers.
>
> klaus
>
> jayesh nambiar wrote:
> > hi all,
> > I came to kno about the parameter modparam("acc", "db_table_acc",
> > "acc_table").
> > Does this mean that I can have different acc tables for my different
> > type of customers. Is this possible.
> > If yes, then how? If i declare the appropriate flag and then use setflag
> > at the places i want to account, will it work.
> > Can someone please explain it to me. Any suggestions would help me a lot.
> > Thanx
> > jayesh
> >
> > ------------------------------------------------------------------------
> > Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
> > <http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/>
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users@openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 13 Oct 2005 14:53:25 +0200
> From: Cesc <cesc.santa@gmail.com>
> Subject: Re: [Users] Improving TLS implementation
> To: Juha Heinanen <jh@tutpro.com>
> Cc: SER-Users <serusers@iptel.org>, OpenSER-users < users@openser.org>
> Message-ID:
>       <ce8208420510130553r371591aeib5f43a7674b109b@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Juha,
>  Well, that is true, but what do you propose then? just present a host cert
> and nothing else? I would say that if the company trust the hosting for
> running the service, a mere certficate should not be the problem, should it?
>  Cesc
>
>  On 10/13/05, Juha Heinanen <jh@tutpro.com> wrote:
> >
> > cesc,
> >
> > you made a good summary, but in multi-domain case, it is not just a
> > technical problem on how to present or offer a domain specific
> > certificate. in order to be able to do that, the domains have to
> > surrender their private keying information to a provider that currently
> > happens to host their sip service, and to another provider that hosts
> > their web service, and to third provider that hosts their e-commerce
> > service, etc.
> >
> > in most cases, this is simply out of question. companies are not going
> > to do it.
> >
> > -- juha
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://openser.org/pipermail/users/attachments/20051013/ba119f0d/attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Thu, 13 Oct 2005 16:00:34 +0300
> From: Juha Heinanen < jh@tutpro.com>
> Subject: Re: [Users] Improving TLS implementation
> To: Cesc <cesc.santa@gmail.com>
> Cc: SER-Users < serusers@iptel.org>, OpenSER-users <users@openser.org>
> Message-ID: < 17230.23154.109583.123270@rautu.tutpro.com>
> Content-Type: text/plain; charset=us-ascii
>
> Cesc writes:
>
>  >  Well, that is true, but what do you propose then? just present a host cert
>  > and nothing else?
>
> yes.
>
>  > I would say that if the company trust the hosting for
>  > running the service, a mere certficate should not be the problem,
>  > should it?
>
> it would be if the company uses the same domain certificate also for
> other things, like e-commerce.
>
> -- juha
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 13 Oct 2005 10:46:44 -0400
> From: "Joonbum Byun" <jbyun@qovia.com>
> Subject: [Users] Softphones compatible with Openser/TLS
> To: <users@openser.org>
> Message-ID:
>       <A8F302FE10019948AAF281B06FB908D72950E0@exchange.qovia.com >
> Content-Type: text/plain; charset="us-ascii"
>
> Skipped content of type multipart/alternative-------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Joonbum Byun.vcf
> Type: text/x-vcard
> Size: 129 bytes
> Desc: Joonbum Byun.vcf
> Url : http://openser.org/pipermail/users/attachments/20051013/95a62779/JoonbumByun-0001.vcf
>
> ------------------------------
>
> Message: 6
> Date: Thu, 13 Oct 2005 21:23:55 +0200
> From: Klaus Darilion <klaus.mailinglists@pernau.at >
> Subject: Re: [Users] Softphones compatible with Openser/TLS
> To: Joonbum Byun <jbyun@qovia.com>
> Cc: users@openser.org
> Message-ID: <434EB44B.8040800@pernau.at>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> I only know minisip and Windows Messenger (never tried one of them)
>
> klaus
>
> Joonbum Byun wrote:
> > Hi;
> >
> >
> >
> > Id like to set up a SIP network secured by TLS in my lab.
> >
> >
> >
> > Would anyone please let me know if open source soft-phone is available
> > compatible with TLS enabled Openser? Any suggestions on soft-phones or
> > success stories are greatly appreciated.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Joon
> >
> > _______________________________________________
> > Users mailing list
> > Users@openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 14 Oct 2005 01:00:34 +0200
> From: Cesc <cesc.santa@gmail.com>
> Subject: Re: [Users] Softphones compatible with Openser/TLS
> To: Klaus Darilion <klaus.mailinglists@pernau.at>
> Cc: Joonbum Byun <jbyun@qovia.com>, users@openser.org
> Message-ID:
>       <ce8208420510131600l47f91125i9df215a3c7b95ee1@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I've never tried wmessenger either, but minisip does work.
> As for hardphones, i think snoms can do tls, though only
> server-authentication (no client/phone authentication).
>
> Cesc
>
> On 10/13/05, Klaus Darilion <klaus.mailinglists@pernau.at> wrote:
> >
> > I only know minisip and Windows Messenger (never tried one of them)
> >
> > klaus
> >
> > Joonbum Byun wrote:
> > > Hi;
> > >
> > >
> > >
> > > I'd like to set up a SIP network secured by TLS in my lab.
> > >
> > >
> > >
> > > Would anyone please let me know if open source soft-phone is available
> > > compatible with TLS enabled Openser? Any suggestions on soft-phones or
> > > success stories are greatly appreciated.
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > >
> > > Joon
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users@openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users@openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://openser.org/pipermail/users/attachments/20051014/0b15939a/attachment-0001.htm
>
> ------------------------------
>
> Message: 8
> Date: Fri, 14 Oct 2005 09:24:18 +0300
> From: Daniel-Constantin Mierla <daniel@voice-system.ro>
> Subject: Re: [Users] BYE method accompanied by error
> To: Sam Lee <Sam@super.net.sg>
> Cc: users@openser.org
> Message-ID: < 434F4F12.1030001@voice-system.ro>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> It seems that the gateway does not like the BYE, maybe there are some
> bad header values there. Anyhow, you can account failed transactions too
> (see failed_transaction_flag parameter of acc module), or just use
> acc_db_request() function for BYEs.
>
> Cheers,
> Daniel
>
>
> On 10/13/05 05:30, Sam Lee wrote:
> > Any help I can get on this one ?
> >
> > Sam
> >
> > -----Original Message-----
> > From: users-bounces@openser.org [mailto: users-bounces@openser.org] On
> > Behalf Of Sam Lee
> > Sent: Wednesday, October 12, 2005 3:27 PM
> > To: Iqbal; users@openser.org
> > Subject: RE: [Users] BYE method accompanied by error
> >
> > I have checked that the phones have not received a prior BYE. Any other
> > idea what is wrong ?
> >
> > Here's a more detailed situation :-
> >
> > Caller (PSTN) --> Voice Gateway --> OPENSER --> Callee (UA)
> >
> > When Callee (UA) tried to end the call , OPENSER will forward a copy of
> > the BYE to Voice Gateway to inform him of the BYE.
> > The Gateway , somehow , replied with a 'Call Leg/Transaction Does Not
> > Exist' . The strange thing is, the Caller (PSTN) was somehow informed of
> > the BYE method and terminate the session . Anyone has any idea how to
> > handle these errors ? I will be glad to provide a ngrep for more
> > reference.
> >
> > Regards,
> > Sam
> >
> > -----Original Message-----
> > From: users-bounces@openser.org [mailto:users-bounces@openser.org] On
> > Behalf Of Iqbal
> > Sent: Tuesday, October 11, 2005 7:35 PM
> > To: Sam Lee
> > Cc: users@openser.org
> > Subject: Re: [Users] BYE method accompanied by error
> >
> > Can you check to see if you have already received a BYE for that call,
> > some phones I had were sending there own Bye's after the GW had
> >
> > Iqbal
> >
> > Sam Lee wrote:
> >
> >
> >> Hi all,
> >>
> >> I would like to know why does my BYE method are always replied with a
> >> 'Call Leg/Transaction does not exist' . How do they compare whether
> >> the transaction in the BYE method exist or not ? ( tag? ftag ? ) Are
> >> there any thing in the config that might cause this kind of problem ?
> >> Just want to highlight that all the calls are made in a good
> >> condition, everything except when the call is ending.
> >>
> >> Please let me know if you dont understand.
> >>
> >> Regards,
> >> Sam
> >>
> >> -----------------------------------------------------------------------
> >> -
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users@openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >>
> >
> > _______________________________________________
> > Users mailing list
> > Users@openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users@openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users@openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 14 Oct 2005 11:27:58 +0300
> From: Bogdan-Andrei Iancu < bogdan@voice-system.ro>
> Subject: Re: [Users] How to do RADIUS authentication with hashed
>       password        (MD5    or HA1)?
> To: Cheng Zhang <czhang.cmu@gmail.com>
> Cc: users@openser.org
> Message-ID: < 434F6C0E.9020402@voice-system.ro>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi Cheng,
>
> if this patch solved your problem, can you please summit a short
> description of the problem and its solution on the RADIUS wiki?
>     http://openser.org/dokuwiki/doku.php?id=radius
>
> thanks and regards,
> bogdan
>
> Cheng Zhang wrote:
>
> >Fortunately Philippe Sultan on freeradius-users list has a patch to
> >solve my problem.
> >
> >Philippe's reply is attached below:
> >------ Forwarded Message
> >From: Philippe Sultan <philippe.sultan@gmail.com >
> >Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
> >Date: Wed, 12 Oct 2005 09:50:35 +0200
> >To: FreeRadius users mailing list < freeradius-users@lists.freeradius.org>
> >Subject: Re: Question on FreeRADIUS digest authentication with SIP proxy
> >
> >Hi, Chen.
> >
> >There is ongoing discussion on this topic :
> >
> >http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html
> >
> >You might also want to check this, for information related to digest
> >authentication with RADIUS and LDAP :
> >
> > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> >
> >Bye,
> >
> >Philippe
> >------ End of Forwarded Message
> >
> >I tested Philippe's patch and it works for me. :-)
> >For people using Gentoo, I created this enhancement bug (
> >http://bugs.gentoo.org/show_bug.cgi?id=109003) to help out a bit.
> >
> >-- Cheng
> >
> >
> >On 10/12/05, Bogdan-Andrei Iancu <bogdan@voice-system.ro> wrote:
> >
> >
> >>Hi Cheng,
> >>
> >>I'm not a RADIUS expert, but AFAIK only textplain passwords are
> >>supported by RADIUS.
> >>
> >>regards,
> >>Bogdan
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>_______________________________________________
> >>Users mailing list
> >>Users@openser.org
> >>http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users@openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
>
> End of Users Digest, Vol 5, Issue 35
> ************************************
--
Girish Nayak
(231) 392 5695 extn:184



_______________________________________________
Users mailing list
Users@openser.org
http://openser.org/cgi-bin/mailman/listinfo/users