i understand, minisip softphone can initiate TLS connection. and it can be authenticated by the openser via digest authentication.
is it possible to use certificate instead of digest authentication?
Hi,
Minisip (and any other phone that fully supports tls) can do both. Use TLS as the transport layer, authenticate the server cert against the locally trusted root certs, and if given a client cert, it will send it to the server for client authentication (that is, to openser). All this during the tls handshake.
Now, once tls is established, it is up to the proxy whether it challenges the client for digest authentication. That is, it is up to you. If you set a proxy so that it only accepts tls connections, use mutual tls auth for client and server ... you may choose not to challenge with digest on top of that. But, as it is of now in ser/openser ... i would still challenge, as tls is loosely coupled with the subscribers data you have in your database.
Hope it helps,
Cesc
On 10/14/05, Girish Nayak girish@isphone.net wrote:
i understand, minisip softphone can initiate TLS connection. and it can be authenticated by the openser via digest authentication.
is it possible to use certificate instead of digest authentication?
Girish
On Fri, 2005-10-14 at 08:28 +0000, users-request@openser.org wrote:
Send Users mailing list submissions to users@openser.org
To subscribe or unsubscribe via the World Wide Web, visit http://openser.org/cgi-bin/mailman/listinfo/users or, via email, send a message with subject or body 'help' to users-request@openser.org
You can reach the person managing the list at users-owner@openser.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Users digest..."
Today's Topics:
- Re: Re: [Serusers] trusting peers (Juha Heinanen)
- Re: different tables for acc (Klaus Darilion)
- Re: Improving TLS implementation (Cesc)
- Re: Improving TLS implementation (Juha Heinanen)
- Softphones compatible with Openser/TLS (Joonbum Byun)
- Re: Softphones compatible with Openser/TLS (Klaus Darilion)
- Re: Softphones compatible with Openser/TLS (Cesc)
- Re: BYE method accompanied by error (Daniel-Constantin Mierla)
- Re: How to do RADIUS authentication with hashed password (MD5
or HA1)? (Bogdan-Andrei Iancu)
Message: 1 Date: Thu, 13 Oct 2005 13:55:37 +0300 From: Juha Heinanen jh@tutpro.com Subject: Re: [Users] Re: [Serusers] trusting peers To: Klaus Darilion klaus.mailinglists@pernau.at Cc: Nils Ohlmeier lists@ohlmeier.org, serusers@iptel.org, Jan Janak jan@iptel.org, "users openser.org http://openser.org" <
users@openser.org>
Message-ID: 17230.15657.441146.200770@rautu.tutpro.com Content-Type: text/plain; charset=us-ascii
Klaus Darilion writes:
e.g. simmilar to allow_trusted, but using the domain form the certificate instead of using src_ip.
yes, it would be easy to add such a check to permissions module.
-- juha
Message: 2 Date: Thu, 13 Oct 2005 14:30:46 +0200 From: Klaus Darilion klaus.mailinglists@pernau.at Subject: Re: [Users] different tables for acc To: jayesh nambiar jayesh_1017@yahoo.com Cc: SER users@openser.org Message-ID: 434E5376.2000902@pernau.at Content-Type: text/plain; charset=ISO-8859-1; format=flowed
No. Only one table for all costumers.
klaus
jayesh nambiar wrote:
hi all, I came to kno about the parameter modparam("acc", "db_table_acc", "acc_table"). Does this mean that I can have different acc tables for my different type of customers. Is this possible. If yes, then how? If i declare the appropriate flag and then use
setflag
at the places i want to account, will it work. Can someone please explain it to me. Any suggestions would help me a
lot.
Thanx jayesh
Yahoo! Music Unlimited - Access over 1 million songs. Try it free. <
http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.co...
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Message: 3 Date: Thu, 13 Oct 2005 14:53:25 +0200 From: Cesc cesc.santa@gmail.com Subject: Re: [Users] Improving TLS implementation To: Juha Heinanen jh@tutpro.com Cc: SER-Users serusers@iptel.org, OpenSER-users users@openser.org Message-ID: ce8208420510130553r371591aeib5f43a7674b109b@mail.gmail.com Content-Type: text/plain; charset="utf-8"
Hi Juha, Well, that is true, but what do you propose then? just present a host
cert
and nothing else? I would say that if the company trust the hosting for running the service, a mere certficate should not be the problem, should
it?
Cesc
On 10/13/05, Juha Heinanen jh@tutpro.com wrote:
cesc,
you made a good summary, but in multi-domain case, it is not just a technical problem on how to present or offer a domain specific certificate. in order to be able to do that, the domains have to surrender their private keying information to a provider that
currently
happens to host their sip service, and to another provider that hosts their web service, and to third provider that hosts their e-commerce service, etc.
in most cases, this is simply out of question. companies are not going to do it.
-- juha
Hi,
Minisip (and any other phone that fully supports tls) can do both. Use TLS as the transport layer, authenticate the server cert against the locally trusted root certs, and if given a client cert, it will send it to the server for client authentication (that is, to openser). All this during the tls handshake.
Now, once tls is established, it is up to the proxy whether it challenges the client for digest authentication. That is, it is up to you. If you set a proxy so that it only accepts tls connections, use mutual tls auth for client and server ... you may choose not to challenge with digest on top of that. But, as it is of now in ser/openser ... i would still challenge, as tls is loosely coupled with the subscribers data you have in your database.
Hope it helps,
Cesc
On 10/14/05, Girish Nayak girish@isphone.net wrote:
i understand, minisip softphone can initiate TLS connection. and it can be authenticated by the openser via digest authentication.
is it possible to use certificate instead of digest authentication?
Girish
-
Cesc -
Girish Nayak