[sr-dev] TLS inspection for authentication

Iñaki Baz Castillo ibc at aliax.net
Wed May 25 14:05:17 CEST 2011 

Hi, the documentation of TLS module says:

---------------------------------------
1.7. Known Limitations

The TLS certificate verifications ignores the certificate name,
subject altname and ip extensions, it just checks if the certificate
is signed by a recognized CA. One can use the select framework to try
to overcome this limitation (check in the script for the contents of
various certificate fields), but this is not only slow, but also not
exactly standard conforming (the verification should happen during TLS
connection establishment and not after).
-----------------------------------------


The last pharse "the verification should happen during TLS connection
establishment and not after" is incorrect. It's true that the SIP node
receiving a TLS certificate should first verify that the certificate
is signed by a recognized CA and it's not expired. This is the first
step and must occur when establishing the TLS session. IF not, drop
the connection.

But in case a proxy/server receives a TLS connection and wants to
authenticate SIP requests based on the certificate, it must extract
the SIP domain identities in the certificate by inspecting each value
in the subjectAltName field with type "domain". And for each SIP
request coming within this TLS connection, the proxy/server could
check whether the From domain matches a SIP domain present in the
certificate, so the request gets automatically authenticated (no need
of requiring SIP authenticationn neither checking the source IP
against a list of trusted IPs).

In order to implement it, I suggest the following behaviour in sip-router:

- A client establishes a TLS session with sip-router.
- The client presents a TLS certificate.
- sip-router extracts the SIP identities of the certificate and stores
them, somehow, in attributes belonging to this TLS session (maybe
pseudovariables).
- In the logic script, it would be possible then to match the From
domain of the request (or whatever) against the list of SIP identities
in the certificate (so authentication is done).

This is important in order to allow real SIP federation (as already
occurs in XMPP world). We all know that SIP federation is not used
yet, but it should in a future.


Regards.


-- 
Iñaki Baz Castillo
<ibc at aliax.net>

More information about the sr-dev mailing list