Hi everybody,
finally the TLS proxy is up and running - just to remember what was about -> http://www.openser.org/pipermail/users/2005-September/000953.html
The configuration is quite a simple one - it accepts exclusively requests over TLS and does relay based on RURI (keeping the TLS protocol).
server info: openser.org port 5061 - SRV record is also present.
The idea is to interconnect several domains via this TLS relay. If one of the interconnected servers has to deliver a request to another domain via TLS, it has just to relay it to the TLS proxy. Note that the proxy denies any local requests.
How to do the redirect from your script? Before doing t_relay(), you may add something like: if ( uri=~".*@domain1.com" || uri=~".*@domain2.com") { avp_write("sip:openser.org;transport=tls","i:11"); avp_pushto("$duri","i:11"); } via DST_URI, the TLS protocol will be forced without affecting the RURI.
Normally this logic should be totally transparent via NAPTR lookup, but we do not have it in OpenSER yet.
Now, about the TLS part. The TLS proxy has both tls_verify and tls_require_certificate enabled. For certificates there are two ways: 1) generate your own root CA and certificate and set the CA to me to added to the proxy (tools available on CVS in tls/tools) 2) ask and I will provide a certificate signed with the proxy root CA.
TLS configuration on your side: tls_certificate="path/cert.pem" tls_private_key="path/privkey.pem" tls_ca_list="path/calist.pem" tls_verify=on tls_require_certificate=on listen=tls:xxx.xxx.xxx.xxx tls_port_no=5061
For any other additional hints about TLS, please see the tutorial http://www.openser.org/docs/tls
People interested in interconnection, please join (just let me know which way you prefer for certificates). First domain connected to the proxy is siphub.net - it's a local platform we are using.
regards, bogdan
PS: if there are people interested in testing SIP UA with TLS, let me know and I can add registrar support. Also, if somebody has ideas how to enhance the proxy config, feel free....
it is not clear to me how to handle the situation when proxy serves more than one domain. i guess each domain needs its own user (client/server) certificate. i tried to create to run gen_usercert.sh twice, but i got an error message
The stateOrProvinceName field needed to be the same in the CA certificate (X) and the request (Y)
Failed to generate certificate request
i didn't find information in tls support document on how to handle this multiple domain situation.
-- juha
Hi Juha,
I think will have to add config files for the certs to make it more configurable.....
regards, bogdan
Juha Heinanen wrote:
it is not clear to me how to handle the situation when proxy serves more than one domain. i guess each domain needs its own user (client/server) certificate. i tried to create to run gen_usercert.sh twice, but i got an error message
The stateOrProvinceName field needed to be the same in the CA certificate (X) and the request (Y)
Failed to generate certificate request
i didn't find information in tls support document on how to handle this multiple domain situation.
-- juha
Hi everybody,
According to RFC3261 proxies should possess a site certificate whose subject corresponds to their canonical hostname. In the case of gen_usercert.sh helperscript this must be placed in the "Common Name" field I guess. So when mutual authentication takes place, the two proxies should check the CN of each others certificate.
I have a proxy sip.atlanta.com and another one sip.biloxi.com. I generated two certificates with CN=hostname. Then I added the rootCA-certs of the other proxy to the calist.pem. It works really fine :-) So I played around and generated certificates with other CNs like badguy.atlanta.com or sip.badname.com or badguy.badname.com - they don't have either the corresponding hostname or the domainname of the server (or both). I imported one after the other in sip.atlanta.com - and it still works (tls_init: verify_callback: preverify is good: verify return: 1) :-(
So, am I doing something wrong or does OpenSER not validate the host/domainname of the server against the certificate's subject ???
Thanks for hints !
regards, Philipp
Hi Alexander,
Verification of the cert in openser for now is limited ... it checks that the cert provided by the peer is signed by one of your trusted roots. Thus, if one of the CAs you trust signs a certificate for sip.badguy.comhttp://sip.badguy.com... you eat that certficate raw :)
Obviously, this is no good. The discussions we are having though are shedding a lot of light. A summary ... - Provide flexibility in the way the connection is authenticated (what to check from the sip message against what in the tls cert) - Support naptr look ups for flexible routing to tls and for sips uris - easy configuration of domains (when dialing in and out), with different certs and setups. This is targeted at multi-domain providers
Quite some work, but i am for it :)
Cesc
On 10/10/05, Alexander Ph. Lintenhofer lintenhofer@aon.at wrote:
Hi everybody,
According to RFC3261 proxies should possess a site certificate whose subject corresponds to their canonical hostname. In the case of gen_usercert.sh helperscript this must be placed in the "Common Name" field I guess. So when mutual authentication takes place, the two proxies should check the CN of each others certificate.
I have a proxy sip.atlanta.com http://sip.atlanta.com and another one sip.biloxi.com http://sip.biloxi.com. I generated two certificates with CN=hostname. Then I added the rootCA-certs of the other proxy to the calist.pem. It works really fine :-) So I played around and generated certificates with other CNs like badguy.atlanta.com http://badguy.atlanta.com or sip.badname.comhttp://sip.badname.comor badguy.badname.com http://badguy.badname.com - they don't have either the corresponding hostname or the domainname of the server (or both). I imported one after the other in sip.atlanta.comhttp://sip.atlanta.com- and it still works (tls_init: verify_callback: preverify is good: verify return: 1) :-(
So, am I doing something wrong or does OpenSER not validate the host/domainname of the server against the certificate's subject ???
Thanks for hints !
regards, Philipp
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Alexander Ph. Lintenhofer -
Bogdan-Andrei Iancu -
Cesc -
Juha Heinanen