Hello,
On 5/21/13 9:02 AM, Klaus Darilion wrote:
On 20.05.2013 21:27, Moacir Ferreira wrote:
I would appreciate some help on the following
questions I have:
- If I use TLS mutual authentication, do I still need a subscriber
password or the TLS successful mutual session setup will assume that the
client is "trusted" so it can register what it is asking to register?
Indeed. The TLS-layer only checks the validity of the client
certificate. Thus, before calling save() (or setting up a call) you
need to check manually that a user is allowed to use a certain
identity in From/To headers.
This means, that have to check the user-id in the TLS certificate
against the user-id in the SIP message. For example if the client
certificates have the SIP username as common name:
if (@tls.peer.subj.cn != $fu) {
sl_send_reply("403");
}
Verify To header for REGISTER, R-URI for PUBLISH, and From header for
all others.
Available TLS variables:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_l…
There can be the option of using a particular root certificate for
signing client certificate and then accept only those certificates.
This allows accepting traffic even without prior knowledge of the
username (e.g., common case for downloading a branded app after creating
an account on some portal/service). In this case is no need to check the
headers, all traffic from trusted certificates is ok.
- For large deployments, can I issue a single
certificate and install it
on all my telephone sets making them "trusted" to me or I need one
certificate per telephone/subscriber?
It depends. If you want to rely purely on TLS for authentication
(using MTLS as described above) then you need dedicated certificates
for each client.
Actually I do not know a SIP client which supports TLS client
certficates. Therefore the usually used approach is TLS without client
certificates and SIP-based authentication (username+pw).
Jitsi supports it for at
least few years, I used it. Also, there are
some hard phones doing it now (like cisco, yealink, aastra, iirc).
- Anyway, can you share your "good practices" advises for large
deployment?
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
Like the softphone authenticating the server based on server certificate?
Cheers,
Daniel
--
Daniel-Constantin Mierla -
http://www.asipto.com
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda
Kamailio Advanced Training, San Francisco, USA - June 24-27, 2013
*
http://asipto.com/u/katu *