[Users] Secure SIP messages

Klaus Darilion klaus.mailinglists at pernau.at
Thu Jan 4 11:46:23 CET 2007

Steffen Witt wrote:
> Hello,
>> > My questions:
>> > - Is there any mechanism that prevents me from corrupting or faking
>> > SIP messages?
>> What do you want? Do you want to manipulate SIP messages or do you want
>> that nobody can manipulate your SIP messages?
> I want to prevent manipulation of SIP messages.

Then use TLS for encryption of the SIP signaling, and for authentication 
of the SIP proxy to the client. To authenticate the client against the 
SIP proxy you still need digest authentication.


>> > - Is it possible to create a kind of binding between the certificates
>> > used for TLS/IPSec and the SIP accounts?
>> Not for IPsec as IPsec is not in the application. Thus, the application
>> has no access to any IPsec settings - it even does not know if a message
>> is sent via IPsec or not.
>> Regarding TLS: Usually you use TLS for encryption and digest for
>> authentication.
>> Using TLS certificates for clients is not that simple. You can't use
>> host certificates as the IP address and hostnames of the clients will
>> change. Thus, the TLS certificate must be for a sip URI (for details see
>> RFC 3261). Then you could use the pseudo variable exported by tlsops
>> module to compare the certificate parameter against the From: URI. This
>> will work for incoming requests, but not for outgoing requests (when you
>> want to compare the certificate name against the To or Request URI)
> Thanks for the info.
> Best regards,
> Steffen

Klaus Darilion

More information about the sr-users mailing list