[Users] user authentication with certificate

Cesc cesc.santa at gmail.com
Sat Oct 15 01:33:44 CEST 2005


Hi,

Minisip (and any other phone that fully supports tls) can do both.
Use TLS as the transport layer, authenticate the server cert against the
locally trusted root certs, and if given a client cert, it will send it to
the server for client authentication (that is, to openser). All this during
the tls handshake.

Now, once tls is established, it is up to the proxy whether it challenges
the client for digest authentication. That is, it is up to you. If you set a
proxy so that it only accepts tls connections, use mutual tls auth for
client and server ... you may choose not to challenge with digest on top of
that. But, as it is of now in ser/openser ... i would still challenge, as
tls is loosely coupled with the subscribers data you have in your database.

Hope it helps,

Cesc

On 10/14/05, Girish Nayak <girish at isphone.net> wrote:
>
> i understand, minisip softphone can initiate TLS connection.
> and it can be authenticated by the openser via digest authentication.
>
> is it possible to use certificate instead of digest authentication?
> --
> Girish
>
>
> On Fri, 2005-10-14 at 08:28 +0000, users-request at openser.org wrote:
> > Send Users mailing list submissions to
> > users at openser.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://openser.org/cgi-bin/mailman/listinfo/users
> > or, via email, send a message with subject or body 'help' to
> > users-request at openser.org
> >
> > You can reach the person managing the list at
> > users-owner at openser.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: Re: [Serusers] trusting peers (Juha Heinanen)
> > 2. Re: different tables for acc (Klaus Darilion)
> > 3. Re: Improving TLS implementation (Cesc)
> > 4. Re: Improving TLS implementation (Juha Heinanen)
> > 5. Softphones compatible with Openser/TLS (Joonbum Byun)
> > 6. Re: Softphones compatible with Openser/TLS (Klaus Darilion)
> > 7. Re: Softphones compatible with Openser/TLS (Cesc)
> > 8. Re: BYE method accompanied by error (Daniel-Constantin Mierla)
> > 9. Re: How to do RADIUS authentication with hashed password (MD5
> > or HA1)? (Bogdan-Andrei Iancu)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 13 Oct 2005 13:55:37 +0300
> > From: Juha Heinanen <jh at tutpro.com>
> > Subject: Re: [Users] Re: [Serusers] trusting peers
> > To: Klaus Darilion <klaus.mailinglists at pernau.at>
> > Cc: Nils Ohlmeier <lists at ohlmeier.org>, serusers at iptel.org, Jan Janak
> > <jan at iptel.org>, "users openser.org <http://openser.org>" <
> users at openser.org>
> > Message-ID: <17230.15657.441146.200770 at rautu.tutpro.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > Klaus Darilion writes:
> >
> > > e.g. simmilar to allow_trusted, but using the domain form the
> > > certificate instead of using src_ip.
> >
> > yes, it would be easy to add such a check to permissions module.
> >
> > -- juha
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 13 Oct 2005 14:30:46 +0200
> > From: Klaus Darilion <klaus.mailinglists at pernau.at>
> > Subject: Re: [Users] different tables for acc
> > To: jayesh nambiar <jayesh_1017 at yahoo.com>
> > Cc: SER <users at openser.org>
> > Message-ID: <434E5376.2000902 at pernau.at>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > No. Only one table for all costumers.
> >
> > klaus
> >
> > jayesh nambiar wrote:
> > > hi all,
> > > I came to kno about the parameter modparam("acc", "db_table_acc",
> > > "acc_table").
> > > Does this mean that I can have different acc tables for my different
> > > type of customers. Is this possible.
> > > If yes, then how? If i declare the appropriate flag and then use
> setflag
> > > at the places i want to account, will it work.
> > > Can someone please explain it to me. Any suggestions would help me a
> lot.
> > > Thanx
> > > jayesh
> > >
> > >
> ------------------------------------------------------------------------
> > > Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
> > > <
> http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/
> >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Thu, 13 Oct 2005 14:53:25 +0200
> > From: Cesc <cesc.santa at gmail.com>
> > Subject: Re: [Users] Improving TLS implementation
> > To: Juha Heinanen <jh at tutpro.com>
> > Cc: SER-Users <serusers at iptel.org>, OpenSER-users <users at openser.org>
> > Message-ID:
> > <ce8208420510130553r371591aeib5f43a7674b109b at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Juha,
> > Well, that is true, but what do you propose then? just present a host
> cert
> > and nothing else? I would say that if the company trust the hosting for
> > running the service, a mere certficate should not be the problem, should
> it?
> > Cesc
> >
> > On 10/13/05, Juha Heinanen <jh at tutpro.com> wrote:
> > >
> > > cesc,
> > >
> > > you made a good summary, but in multi-domain case, it is not just a
> > > technical problem on how to present or offer a domain specific
> > > certificate. in order to be able to do that, the domains have to
> > > surrender their private keying information to a provider that
> currently
> > > happens to host their sip service, and to another provider that hosts
> > > their web service, and to third provider that hosts their e-commerce
> > > service, etc.
> > >
> > > in most cases, this is simply out of question. companies are not going
> > > to do it.
> > >
> > > -- juha
> > >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> http://openser.org/pipermail/users/attachments/20051013/ba119f0d/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Thu, 13 Oct 2005 16:00:34 +0300
> > From: Juha Heinanen <jh at tutpro.com>
> > Subject: Re: [Users] Improving TLS implementation
> > To: Cesc <cesc.santa at gmail.com>
> > Cc: SER-Users <serusers at iptel.org>, OpenSER-users <users at openser.org>
> > Message-ID: <17230.23154.109583.123270 at rautu.tutpro.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > Cesc writes:
> >
> > > Well, that is true, but what do you propose then? just present a host
> cert
> > > and nothing else?
> >
> > yes.
> >
> > > I would say that if the company trust the hosting for
> > > running the service, a mere certficate should not be the problem,
> > > should it?
> >
> > it would be if the company uses the same domain certificate also for
> > other things, like e-commerce.
> >
> > -- juha
> >
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Thu, 13 Oct 2005 10:46:44 -0400
> > From: "Joonbum Byun" <jbyun at qovia.com>
> > Subject: [Users] Softphones compatible with Openser/TLS
> > To: <users at openser.org>
> > Message-ID:
> > <A8F302FE10019948AAF281B06FB908D72950E0 at exchange.qovia.com>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Skipped content of type multipart/alternative-------------- next part
> --------------
> > A non-text attachment was scrubbed...
> > Name: Joonbum Byun.vcf
> > Type: text/x-vcard
> > Size: 129 bytes
> > Desc: Joonbum Byun.vcf
> > Url :
> http://openser.org/pipermail/users/attachments/20051013/95a62779/JoonbumByun-0001.vcf
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Thu, 13 Oct 2005 21:23:55 +0200
> > From: Klaus Darilion <klaus.mailinglists at pernau.at>
> > Subject: Re: [Users] Softphones compatible with Openser/TLS
> > To: Joonbum Byun <jbyun at qovia.com>
> > Cc: users at openser.org
> > Message-ID: <434EB44B.8040800 at pernau.at>
> > Content-Type: text/plain; charset=windows-1252; format=flowed
> >
> > I only know minisip and Windows Messenger (never tried one of them)
> >
> > klaus
> >
> > Joonbum Byun wrote:
> > > Hi;
> > >
> > >
> > >
> > > Id like to set up a SIP network secured by TLS in my lab.
> > >
> > >
> > >
> > > Would anyone please let me know if open source soft-phone is available
> > > compatible with TLS enabled Openser? Any suggestions on soft-phones or
> > > success stories are greatly appreciated.
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > >
> > > Joon
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> > ------------------------------
> >
> > Message: 7
> > Date: Fri, 14 Oct 2005 01:00:34 +0200
> > From: Cesc <cesc.santa at gmail.com>
> > Subject: Re: [Users] Softphones compatible with Openser/TLS
> > To: Klaus Darilion <klaus.mailinglists at pernau.at>
> > Cc: Joonbum Byun <jbyun at qovia.com>, users at openser.org
> > Message-ID:
> > <ce8208420510131600l47f91125i9df215a3c7b95ee1 at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi,
> >
> > I've never tried wmessenger either, but minisip does work.
> > As for hardphones, i think snoms can do tls, though only
> > server-authentication (no client/phone authentication).
> >
> > Cesc
> >
> > On 10/13/05, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> > >
> > > I only know minisip and Windows Messenger (never tried one of them)
> > >
> > > klaus
> > >
> > > Joonbum Byun wrote:
> > > > Hi;
> > > >
> > > >
> > > >
> > > > I'd like to set up a SIP network secured by TLS in my lab.
> > > >
> > > >
> > > >
> > > > Would anyone please let me know if open source soft-phone is
> available
> > > > compatible with TLS enabled Openser? Any suggestions on soft-phones
> or
> > > > success stories are greatly appreciated.
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > >
> > > >
> > > > Joon
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at openser.org
> > > > http://openser.org/cgi-bin/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> > >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> http://openser.org/pipermail/users/attachments/20051014/0b15939a/attachment-0001.htm
> >
> > ------------------------------
> >
> > Message: 8
> > Date: Fri, 14 Oct 2005 09:24:18 +0300
> > From: Daniel-Constantin Mierla <daniel at voice-system.ro>
> > Subject: Re: [Users] BYE method accompanied by error
> > To: Sam Lee <Sam at super.net.sg>
> > Cc: users at openser.org
> > Message-ID: <434F4F12.1030001 at voice-system.ro>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > It seems that the gateway does not like the BYE, maybe there are some
> > bad header values there. Anyhow, you can account failed transactions too
> > (see failed_transaction_flag parameter of acc module), or just use
> > acc_db_request() function for BYEs.
> >
> > Cheers,
> > Daniel
> >
> >
> > On 10/13/05 05:30, Sam Lee wrote:
> > > Any help I can get on this one ?
> > >
> > > Sam
> > >
> > > -----Original Message-----
> > > From: users-bounces at openser.org [mailto:users-bounces at openser.org] On
> > > Behalf Of Sam Lee
> > > Sent: Wednesday, October 12, 2005 3:27 PM
> > > To: Iqbal; users at openser.org
> > > Subject: RE: [Users] BYE method accompanied by error
> > >
> > > I have checked that the phones have not received a prior BYE. Any
> other
> > > idea what is wrong ?
> > >
> > > Here's a more detailed situation :-
> > >
> > > Caller (PSTN) --> Voice Gateway --> OPENSER --> Callee (UA)
> > >
> > > When Callee (UA) tried to end the call , OPENSER will forward a copy
> of
> > > the BYE to Voice Gateway to inform him of the BYE.
> > > The Gateway , somehow , replied with a 'Call Leg/Transaction Does Not
> > > Exist' . The strange thing is, the Caller (PSTN) was somehow informed
> of
> > > the BYE method and terminate the session . Anyone has any idea how to
> > > handle these errors ? I will be glad to provide a ngrep for more
> > > reference.
> > >
> > > Regards,
> > > Sam
> > >
> > > -----Original Message-----
> > > From: users-bounces at openser.org [mailto:users-bounces at openser.org] On
> > > Behalf Of Iqbal
> > > Sent: Tuesday, October 11, 2005 7:35 PM
> > > To: Sam Lee
> > > Cc: users at openser.org
> > > Subject: Re: [Users] BYE method accompanied by error
> > >
> > > Can you check to see if you have already received a BYE for that call,
> > > some phones I had were sending there own Bye's after the GW had
> > >
> > > Iqbal
> > >
> > > Sam Lee wrote:
> > >
> > >
> > >> Hi all,
> > >>
> > >> I would like to know why does my BYE method are always replied with a
> > >> 'Call Leg/Transaction does not exist' . How do they compare whether
> > >> the transaction in the BYE method exist or not ? ( tag? ftag ? ) Are
> > >> there any thing in the config that might cause this kind of problem ?
> > >> Just want to highlight that all the calls are made in a good
> > >> condition, everything except when the call is ending.
> > >>
> > >> Please let me know if you dont understand.
> > >>
> > >> Regards,
> > >> Sam
> > >>
> > >>
> -----------------------------------------------------------------------
> > >> -
> > >>
> > >> _______________________________________________
> > >> Users mailing list
> > >> Users at openser.org
> > >> http://openser.org/cgi-bin/mailman/listinfo/users
> > >>
> > >>
> > >>
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> > >
> > >
> >
> >
> >
> > ------------------------------
> >
> > Message: 9
> > Date: Fri, 14 Oct 2005 11:27:58 +0300
> > From: Bogdan-Andrei Iancu <bogdan at voice-system.ro>
> > Subject: Re: [Users] How to do RADIUS authentication with hashed
> > password (MD5 or HA1)?
> > To: Cheng Zhang <czhang.cmu at gmail.com>
> > Cc: users at openser.org
> > Message-ID: <434F6C0E.9020402 at voice-system.ro>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > Hi Cheng,
> >
> > if this patch solved your problem, can you please summit a short
> > description of the problem and its solution on the RADIUS wiki?
> > http://openser.org/dokuwiki/doku.php?id=radius
> >
> > thanks and regards,
> > bogdan
> >
> > Cheng Zhang wrote:
> >
> > >Fortunately Philippe Sultan on freeradius-users list has a patch to
> > >solve my problem.
> > >
> > >Philippe's reply is attached below:
> > >------ Forwarded Message
> > >From: Philippe Sultan <philippe.sultan at gmail.com>
> > >Reply-To: FreeRadius users mailing list <
> freeradius-users at lists.freeradius.org>
> > >Date: Wed, 12 Oct 2005 09:50:35 +0200
> > >To: FreeRadius users mailing list <
> freeradius-users at lists.freeradius.org>
> > >Subject: Re: Question on FreeRADIUS digest authentication with SIP
> proxy
> > >
> > >Hi, Chen.
> > >
> > >There is ongoing discussion on this topic :
> > >
> > >
> http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html
> > >
> > >You might also want to check this, for information related to digest
> > >authentication with RADIUS and LDAP :
> > >
> > >
> http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> > >
> > >Bye,
> > >
> > >Philippe
> > >------ End of Forwarded Message
> > >
> > >I tested Philippe's patch and it works for me. :-)
> > >For people using Gentoo, I created this enhancement bug (
> > >http://bugs.gentoo.org/show_bug.cgi?id=109003) to help out a bit.
> > >
> > >-- Cheng
> > >
> > >
> > >On 10/12/05, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> > >
> > >
> > >>Hi Cheng,
> > >>
> > >>I'm not a RADIUS expert, but AFAIK only textplain passwords are
> > >>supported by RADIUS.
> > >>
> > >>regards,
> > >>Bogdan
> > >>
> > >>
> >
> >>------------------------------------------------------------------------
> > >>
> > >>_______________________________________________
> > >>Users mailing list
> > >>Users at openser.org
> > >>http://openser.org/cgi-bin/mailman/listinfo/users
> > >>
> > >>
> >
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >
> > End of Users Digest, Vol 5, Issue 35
> > ************************************
> --
> Girish Nayak
> (231) 392 5695 extn:184
>
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20051015/dd7ca25e/attachment.htm>


More information about the sr-users mailing list