14 Oct
2005
14 Oct
'05
5:36 p.m.
i understand, minisip softphone can initiate TLS connection.
and it can be authenticated by the openser via digest authentication.
is it possible to use certificate instead of digest authentication?
--
Girish
On Fri, 2005-10-14 at 08:28 +0000, users-request(a)openser.org wrote:
> Send Users mailing list submissions to
> users(a)openser.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://openser.org/cgi-bin/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request(a)openser.org
>
> You can reach the person managing the list at
> users-owner(a)openser.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Re: [Serusers] trusting peers (Juha Heinanen)
> 2. Re: different tables for acc (Klaus Darilion)
> 3. Re: Improving TLS implementation (Cesc)
> 4. Re: Improving TLS implementation (Juha Heinanen)
> 5. Softphones compatible with Openser/TLS (Joonbum Byun)
> 6. Re: Softphones compatible with Openser/TLS (Klaus Darilion)
> 7. Re: Softphones compatible with Openser/TLS (Cesc)
> 8. Re: BYE method accompanied by error (Daniel-Constantin Mierla)
> 9. Re: How to do RADIUS authentication with hashed password (MD5
> or HA1)? (Bogdan-Andrei Iancu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Oct 2005 13:55:37 +0300
> From: Juha Heinanen <jh(a)tutpro.com>
> Subject: Re: [Users] Re: [Serusers] trusting peers
> To: Klaus Darilion <klaus.mailinglists(a)pernau.at>
> Cc: Nils Ohlmeier <lists(a)ohlmeier.org>rg>, serusers(a)iptel.org, Jan Janak
> <jan(a)iptel.org>rg>, "users openser.org" <users(a)openser.org>
> Message-ID: <17230.15657.441146.200770(a)rautu.tutpro.com>
> Content-Type: text/plain; charset=us-ascii
>
> Klaus Darilion writes:
>
> > e.g. simmilar to allow_trusted, but using the domain form the
> > certificate instead of using src_ip.
>
> yes, it would be easy to add such a check to permissions module.
>
> -- juha
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 13 Oct 2005 14:30:46 +0200
> From: Klaus Darilion <klaus.mailinglists(a)pernau.at>
> Subject: Re: [Users] different tables for acc
> To: jayesh nambiar <jayesh_1017(a)yahoo.com>
> Cc: SER <users(a)openser.org>
> Message-ID: <434E5376.2000902(a)pernau.at>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> No. Only one table for all costumers.
>
> klaus
>
> jayesh nambiar wrote:
> > hi all,
> > I came to kno about the parameter modparam("acc",
"db_table_acc",
> > "acc_table").
> > Does this mean that I can have different acc tables for my different
> > type of customers. Is this possible.
> > If yes, then how? If i declare the appropriate flag and then use setflag
> > at the places i want to account, will it work.
> > Can someone please explain it to me. Any suggestions would help me a lot.
> > Thanx
> > jayesh
> >
> > ------------------------------------------------------------------------
> > Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
> >
<http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/>
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 13 Oct 2005 14:53:25 +0200
> From: Cesc <cesc.santa(a)gmail.com>
> Subject: Re: [Users] Improving TLS implementation
> To: Juha Heinanen <jh(a)tutpro.com>
> Cc: SER-Users <serusers(a)iptel.org>rg>, OpenSER-users <users(a)openser.org>
> Message-ID:
> <ce8208420510130553r371591aeib5f43a7674b109b(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Juha,
> Well, that is true, but what do you propose then? just present a host cert
> and nothing else? I would say that if the company trust the hosting for
> running the service, a mere certficate should not be the problem, should it?
> Cesc
>
> On 10/13/05, Juha Heinanen <jh(a)tutpro.com> wrote:
> >
> > cesc,
> >
> > you made a good summary, but in multi-domain case, it is not just a
> > technical problem on how to present or offer a domain specific
> > certificate. in order to be able to do that, the domains have to
> > surrender their private keying information to a provider that currently
> > happens to host their sip service, and to another provider that hosts
> > their web service, and to third provider that hosts their e-commerce
> > service, etc.
> >
> > in most cases, this is simply out of question. companies are not going
> > to do it.
> >
> > -- juha
> >
>
15 Oct
15 Oct
3:33 a.m.
Hi,
Minisip (and any other phone that fully supports tls) can do both.
Use TLS as the transport layer, authenticate the server cert against the
locally trusted root certs, and if given a client cert, it will send it to
the server for client authentication (that is, to openser). All this during
the tls handshake.
Now, once tls is established, it is up to the proxy whether it challenges
the client for digest authentication. That is, it is up to you. If you set a
proxy so that it only accepts tls connections, use mutual tls auth for
client and server ... you may choose not to challenge with digest on top of
that. But, as it is of now in ser/openser ... i would still challenge, as
tls is loosely coupled with the subscribers data you have in your database.
Hope it helps,
Cesc
On 10/14/05, Girish Nayak <girish(a)isphone.net> wrote:
i understand, minisip softphone can initiate TLS connection.
and it can be authenticated by the openser via digest authentication.
is it possible to use certificate instead of digest authentication?
--
Girish
On Fri, 2005-10-14 at 08:28 +0000, users-request(a)openser.org wrote:
cert
Send Users mailing list submissions to
users(a)openser.org
To subscribe or unsubscribe via the World Wide Web, visit
http://openser.org/cgi-bin/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request(a)openser.org
You can reach the person managing the list at
users-owner(a)openser.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."
Today's Topics:
1. Re: Re: [Serusers] trusting peers (Juha Heinanen)
2. Re: different tables for acc (Klaus Darilion)
3. Re: Improving TLS implementation (Cesc)
4. Re: Improving TLS implementation (Juha Heinanen)
5. Softphones compatible with Openser/TLS (Joonbum Byun)
6. Re: Softphones compatible with Openser/TLS (Klaus Darilion)
7. Re: Softphones compatible with Openser/TLS (Cesc)
8. Re: BYE method accompanied by error (Daniel-Constantin Mierla)
9. Re: How to do RADIUS authentication with hashed password (MD5
or HA1)? (Bogdan-Andrei Iancu)
----------------------------------------------------------------------
Message: 1
Date: Thu, 13 Oct 2005 13:55:37 +0300
From: Juha Heinanen <jh(a)tutpro.com>
Subject: Re: [Users] Re: [Serusers] trusting peers
To: Klaus Darilion <klaus.mailinglists(a)pernau.at>
Cc: Nils Ohlmeier <lists(a)ohlmeier.org>rg>, serusers(a)iptel.org, Jan Janak
<jan(a)iptel.org>rg>, "users openser.org <http://openser.org>" <
users(a)openser.org>
Message-ID:
<17230.15657.441146.200770(a)rautu.tutpro.com>
Content-Type: text/plain; charset=us-ascii
Klaus Darilion writes:
setflag
e.g. simmilar to allow_trusted, but using the
domain form the
certificate instead of using src_ip.
yes, it would be easy to add such a check to permissions module.
-- juha
------------------------------
Message: 2
Date: Thu, 13 Oct 2005 14:30:46 +0200
From: Klaus Darilion <klaus.mailinglists(a)pernau.at>
Subject: Re: [Users] different tables for acc
To: jayesh nambiar <jayesh_1017(a)yahoo.com>
Cc: SER <users(a)openser.org>
Message-ID: <434E5376.2000902(a)pernau.at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
No. Only one table for all costumers.
klaus
jayesh nambiar wrote:
> hi all,
> I came to kno about the parameter modparam("acc",
"db_table_acc",
> "acc_table").
> Does this mean that I can have different acc tables for my different
> type of customers. Is this possible.
> If yes, then how? If i declare the appropriate flag and then use > at the places i want to account, will it
work.
> Can someone please explain it to me. Any suggestions would help me a
lot.
> Thanx
> jayesh
>
>
------------------------------------------------------------------------
> Yahoo! Music Unlimited - Access over 1
million songs. Try it free.
> <
http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.c…
>
>
>
>
------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
------------------------------
Message: 3
Date: Thu, 13 Oct 2005 14:53:25 +0200
From: Cesc <cesc.santa(a)gmail.com>
Subject: Re: [Users] Improving TLS implementation
To: Juha Heinanen <jh(a)tutpro.com>
Cc: SER-Users <serusers(a)iptel.org>rg>, OpenSER-users <users(a)openser.org>
Message-ID:
<ce8208420510130553r371591aeib5f43a7674b109b(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi Juha,
Well, that is true, but what do you propose then? just present a host and nothing else? I would say that if the company
trust the hosting for
running the service, a mere certficate should not be the problem, should
it?
Cesc
On 10/13/05, Juha Heinanen <jh(a)tutpro.com> wrote:
>
> cesc,
>
> you made a good summary, but in multi-domain case, it is not just a
> technical problem on how to present or offer a domain specific
> certificate. in order to be able to do that, the domains have to
> surrender their private keying information to a provider that
currently
> > happens to host their sip service, and to another provider that hosts
> > their web service, and to third provider that hosts their e-commerce
> > service, etc.
> >
> > in most cases, this is simply out of question. companies are not going
> > to do it.
> >
> > -- juha
> >
>
3:36 a.m.
Hi,
Minisip (and any other phone that fully supports tls) can do both.
Use TLS as the transport layer, authenticate the server cert against the
locally trusted root certs, and if given a client cert, it will send it to
the server for client authentication (that is, to openser). All this during
the tls handshake.
Now, once tls is established, it is up to the proxy whether it challenges
the client for digest authentication. That is, it is up to you. If you set a
proxy so that it only accepts tls connections, use mutual tls auth for
client and server ... you may choose not to challenge with digest on top of
that. But, as it is of now in ser/openser ... i would still challenge, as
tls is loosely coupled with the subscribers data you have in your database.
Hope it helps,
Cesc
On 10/14/05, Girish Nayak <girish(a)isphone.net> wrote:
i understand, minisip softphone can initiate TLS connection.
and it can be authenticated by the openser via digest authentication.
is it possible to use certificate instead of digest authentication?
--
Girish
6971
days inactive
6971
days old
2 comments
2 participants
participants (2)
-
Cesc -
Girish Nayak