[SR-Users] TLS
Klaus Darilion
klaus.mailinglists at pernau.at
Tue May 21 09:02:30 CEST 2013
On 20.05.2013 21:27, Moacir Ferreira wrote:
> I would appreciate some help on the following questions I have:
>
> - If I use TLS mutual authentication, do I still need a subscriber
> password or the TLS successful mutual session setup will assume that the
>client is "trusted" so it can register what it is asking to register?
Indeed. The TLS-layer only checks the validity of the client
certificate. Thus, before calling save() (or setting up a call) you need
to check manually that a user is allowed to use a certain identity in
From/To headers.
This means, that have to check the user-id in the TLS certificate
against the user-id in the SIP message. For example if the client
certificates have the SIP username as common name:
if (@tls.peer.subj.cn != $fu) {
sl_send_reply("403");
}
Verify To header for REGISTER, R-URI for PUBLISH, and From header for
all others.
Available TLS variables:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls
> - For large deployments, can I issue a single certificate and install it
> on all my telephone sets making them "trusted" to me or I need one
> certificate per telephone/subscriber?
It depends. If you want to rely purely on TLS for authentication (using
MTLS as described above) then you need dedicated certificates for each
client.
Actually I do not know a SIP client which supports TLS client
certficates. Therefore the usually used approach is TLS without client
certificates and SIP-based authentication (username+pw).
>
> - Anyway, can you share your "good practices" advises for large deployment?
>
> - Finally, do you know any free softphone that implements mutual TLS
> authentication?
I am not aware of any.
regards
Klaus
More information about the sr-users
mailing list