[SR-Users] Use different certificate for different client with TLS

Klaus Darilion klaus.mailinglists at pernau.at
Wed Feb 9 17:51:00 CET 2011 

The certificate configured at Kamailio is the 'server' certificate.

The client certificate will be configured in the SIP client (e.g. the
SIP phone).

The [server] section will require a client certificate from the
softphone if require_certificate=yes. It will also validate the client
certificate against the local configured valid ca_list by using
verify_certificate=yes.

If now a SIP message enters the routing script and it was received by
TLS you know that the sip phone sent a clietn certificate which could be
validated with the ca_list.

now, if you want to differ softphones you have to take a look at the
certificate parameters, e.g. using select framework:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls

e.g.  if ( @tls.peer.subject.cn == "George Bush") ...

regards
Klaus

Am 09.02.2011 17:39, schrieb Daniel GROTTI:
> Hi all,
> I would like to use kamailio 3.1 with TLS and verified also a client
> certificate.
> 
> My tls.cfg file is as follow:
> 
> 
> --- tls.cfg ----
> 
> .....
> .....
> 
> [server:MY_IP:5061]
> method = TLSv1
> verify_certificate = yes
> require_certificate = yes
> private_key = default_key.pem
> certificate = default_cert.pem
> ca_list = default_ca.pem
> 
> [client:default]
> verify_certificate = no
> require_certificate = no
> 
> ....
> ....
> 
> 
> So I want to verify the client certificate, to do that I use
> "is_peer_verified()" function in kamailio.cfg.
> As tls.cfg shows, I have to send to my clients the CA certificate and
> the client certificate (default_cert.pem + default_key.pem - signing
> by the CAcert).
> This client certificate is unique for all clients.
> Everything works fine.
> 
> But suppose I wanted to create a client certificate for client 1
> (cert_1.crt), and a different client certificate for client 2
> (cert_2.crt) and I want to configure kamailio to be able to verified
> this different certificates.
> 
> Does it possible ? How can I configure the tls.cfg file to do that ?
> 
> I try to do something like this:
> 
> [server:MY_IP:5061]
> method = TLSv1
> verify_certificate = yes
> require_certificate = yes
> private_key = default_key_1.pem
> certificate = default_cert_1.pem
> private_key = default_key_2.pem
> certificate = default_cert_2.pem
> ca_list = default_ca.pem
> 
> 
> But when kamailio restart it seems that it read only the last couple
> of row certifcate/private_key.
> 
> Regards,
> 
> 
> Daniel G
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list