[sr-dev] TLS inspection for authentication
Iñaki Baz Castillo
ibc at aliax.net
Thu May 26 21:20:03 CEST 2011
2011/5/26 Jan Janak <jan at ryngle.com>:
>> I would appreciate it as I would like to test real SIP TLS source
>> authentication :)
>
> You don't really need this feature for that, but we would be glad to
> accept patches if you implement it.
Hi Jan, why do you state that? As RFC 5954 defines (my own text):
- A client establishes a TLS session with sip-router.
- The client presents a TLS certificate.
- sip-router extracts the SIP domain identities in the certificate by
inspecting each value
in the subjectAltName field with type "domain".
- sip-router stores them in attributes belonging to this TLS session.
- In the logic script, it would be possible then to match the From
domain of the request (or whatever) against the list of SIP identities
in the certificate (so authentication is done).
So if I'm not wrong, I need all the subjectAltName values of the certificate.
Note that I'm not talking just about veryfing the validity of the
certificate (it's correctly signed, it's not expired and so) but also
checking that each new request coming within this TLS connection has a
More information about the sr-dev
mailing list