[Users] Secure SIP messages

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jan 3 17:23:58 CET 2007


Steffen Witt wrote:
> Hello,
> 
> I have a few questions about how to secure SIP messages...
> 
> IPSec or TLS can be used to guarantee privacy, integrity and
> authenticity of transmitted data. But SIP is only payload/data for
> these protocols.
> Digest Authentication does only guarantee authenticity...
> S/MIME seems to be interesting but I don't know any implementation in
> a SIP client.
> 
> 
> My questions:
> - Is there any mechanism that prevents me from corrupting or faking
> SIP messages?

What do you want? Do you want to manipulate SIP messages or do you want 
that nobody can manipulate your SIP messages?

> - Is it possible to create a kind of binding between the certificates
> used for TLS/IPSec and the SIP accounts?

Not for IPsec as IPsec is not in the application. Thus, the application 
has no access to any IPsec settings - it even does not know if a message 
is sent via IPsec or not.

Regarding TLS: Usually you use TLS for encryption and digest for 
authentication.

Using TLS certificates for clients is not that simple. You can't use 
host certificates as the IP address and hostnames of the clients will 
change. Thus, the TLS certificate must be for a sip URI (for details see 
RFC 3261). Then you could use the pseudo variable exported by tlsops 
module to compare the certificate parameter against the From: URI. This 
will work for incoming requests, but not for outgoing requests (when you 
want to compare the certificate name against the To or Request URI)

regards
klaus

> 
> Thanks for your answers...
> 
> 
> Best regards,
> Steffen
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users


-- 
Klaus Darilion
nic.at





More information about the sr-users mailing list