7 Oct
2005
7 Oct
'05
5:14 p.m.
Hi everybody,
finally the TLS proxy is up and running - just to remember what was
about ->
http://www.openser.org/pipermail/users/2005-September/000953.html
The configuration is quite a simple one - it accepts exclusively
requests over TLS and does relay based on RURI (keeping the TLS protocol).
server info: openser.org port 5061 - SRV record is also present.
The idea is to interconnect several domains via this TLS relay. If one
of the interconnected servers has to deliver a request to another domain
via TLS, it has just to relay it to the TLS proxy. Note that the proxy
denies any local requests.
How to do the redirect from your script?
Before doing t_relay(), you may add something like:
if ( uri=~".*(a)domain1.com" || uri=~".*(a)domain2.com") {
avp_write("sip:openser.org;transport=tls","i:11");
avp_pushto("$duri","i:11");
}
via DST_URI, the TLS protocol will be forced without affecting the RURI.
Normally this logic should be totally transparent via NAPTR lookup, but
we do not have it in OpenSER yet.
Now, about the TLS part. The TLS proxy has both tls_verify and
tls_require_certificate enabled. For certificates there are two ways:
1) generate your own root CA and certificate and set the CA to me to
added to the proxy (tools available on CVS in tls/tools)
2) ask and I will provide a certificate signed with the proxy root CA.
TLS configuration on your side:
tls_certificate="path/cert.pem"
tls_private_key="path/privkey.pem"
tls_ca_list="path/calist.pem"
tls_verify=on
tls_require_certificate=on
listen=tls:xxx.xxx.xxx.xxx
tls_port_no=5061
For any other additional hints about TLS, please see the tutorial
http://www.openser.org/docs/tls
People interested in interconnection, please join (just let me know
which way you prefer for certificates).
First domain connected to the proxy is siphub.net - it's a local
platform we are using.
regards,
bogdan
PS: if there are people interested in testing SIP UA with TLS, let me
know and I can add registrar support. Also, if somebody has ideas how to
enhance the proxy config, feel free....
7 Oct
7 Oct
6:19 p.m.
it is not clear to me how to handle the situation when proxy serves more
than one domain. i guess each domain needs its own user (client/server)
certificate. i tried to create to run gen_usercert.sh twice, but i got
an error message
The stateOrProvinceName field needed to be the same in the
CA certificate (X) and the request (Y)
Failed to generate certificate request
i didn't find information in tls support document on how to handle this
multiple domain situation.
-- juha
10 Oct
10 Oct
9:48 p.m.
Hi Juha,
I think will have to add config files for the certs to make it more
configurable.....
regards,
bogdan
Juha Heinanen wrote:
it is not clear to me how to handle the situation when
proxy serves more
than one domain. i guess each domain needs its own user (client/server)
certificate. i tried to create to run gen_usercert.sh twice, but i got
an error message
The stateOrProvinceName field needed to be the same in the
CA certificate (X) and the request (Y)
Failed to generate certificate request
i didn't find information in tls support document on how to handle this
multiple domain situation.
-- juha
11 Oct
11 Oct
12:35 a.m.
New subject: [Users] tls certificate - canonical name checked ???
Hi everybody,
According to RFC3261 proxies should possess a site certificate whose
subject corresponds to their canonical hostname.
In the case of gen_usercert.sh helperscript this must be placed in the
"Common Name" field I guess.
So when mutual authentication takes place, the two proxies should check
the CN of each others certificate.
I have a proxy sip.atlanta.com and another one sip.biloxi.com. I
generated two certificates with CN=hostname. Then I added the
rootCA-certs of the other proxy to the calist.pem. It works really fine :-)
So I played around and generated certificates with other CNs like
badguy.atlanta.com or sip.badname.com or badguy.badname.com - they don't
have either the corresponding hostname or the domainname of the server
(or both). I imported one after the other in sip.atlanta.com - and it
still works (tls_init: verify_callback: preverify is good: verify
return: 1) :-(
So, am I doing something wrong or does OpenSER not validate the
host/domainname of the server against the certificate's subject ???
Thanks for hints !
regards,
Philipp
1:06 a.m.
New subject: [Users] tls certificate - canonical name checked ???
Hi Alexander,
Verification of the cert in openser for now is limited ... it checks that
the cert provided by the peer is signed by one of your trusted roots.
Thus, if one of the CAs you trust signs a certificate for
sip.badguy.com<http://sip.badguy.com>... you eat that certficate raw
:)
Obviously, this is no good. The discussions we are having though are
shedding a lot of light. A summary ...
- Provide flexibility in the way the connection is authenticated (what to
check from the sip message against what in the tls cert)
- Support naptr look ups for flexible routing to tls and for sips uris
- easy configuration of domains (when dialing in and out), with different
certs and setups. This is targeted at multi-domain providers
Quite some work, but i am for it :)
Cesc
On 10/10/05, Alexander Ph. Lintenhofer <lintenhofer(a)aon.at> wrote:
Hi everybody,
According to RFC3261 proxies should possess a site certificate whose
subject corresponds to their canonical hostname.
In the case of gen_usercert.sh helperscript this must be placed in the
"Common Name" field I guess.
So when mutual authentication takes place, the two proxies should check
the CN of each others certificate.
I have a proxy sip.atlanta.com <http://sip.atlanta.com> and another one
sip.biloxi.com <http://sip.biloxi.com>. I
generated two certificates with CN=hostname. Then I added the
rootCA-certs of the other proxy to the calist.pem. It works really fine
:-)
So I played around and generated certificates with other CNs like
badguy.atlanta.com <http://badguy.atlanta.com> or
sip.badname.com<http://sip.badname.com>or
badguy.badname.com <http://badguy.badname.com> - they don't
have either the corresponding hostname or the domainname of the server
(or both). I imported one after the other in
sip.atlanta.com<http://sip.atlanta.com>- and it
still works (tls_init: verify_callback: preverify is good: verify
return: 1) :-(
So, am I doing something wrong or does OpenSER not validate the
host/domainname of the server against the certificate's subject ???
Thanks for hints !
regards,
Philipp
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
6989
days inactive
6992
days old
4 comments
4 participants
participants (4)
-
Alexander Ph. Lintenhofer -
Bogdan-Andrei Iancu -
Cesc -
Juha Heinanen