[SR-Users] TLS

Klaus Darilion klaus.mailinglists at pernau.at
Tue May 21 09:02:30 CEST 2013



On 20.05.2013 21:27, Moacir Ferreira wrote:
> I would appreciate some help on the following questions I have:
>
> - If I use TLS mutual authentication, do I still need a subscriber
> password or the TLS successful mutual session setup will assume that the
>client is "trusted" so it can register what it is asking to register?

Indeed. The TLS-layer only checks the validity of the client 
certificate. Thus, before calling save() (or setting up a call) you need 
to check manually that a user is allowed to use a certain identity in 
From/To headers.

This means, that have to check the user-id in the TLS certificate 
against the user-id in the SIP message. For example if the client 
certificates have the SIP username as common name:

if (@tls.peer.subj.cn != $fu) {
   sl_send_reply("403");
}

Verify To header for REGISTER, R-URI for PUBLISH, and From header for 
all others.

Available TLS variables:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls

> - For large deployments, can I issue a single certificate and install it
> on all my telephone sets making them "trusted" to me or I need one
> certificate per telephone/subscriber?

It depends. If you want to rely purely on TLS for authentication (using 
MTLS as described above) then you need dedicated certificates for each 
client.

Actually I do not know a SIP client which supports TLS client 
certficates. Therefore the usually used approach is TLS without client 
certificates and SIP-based authentication (username+pw).

>
> - Anyway, can you share your "good practices" advises for large deployment?
>
> - Finally, do you know any free softphone that implements mutual TLS
> authentication?

I am not aware of any.

regards
Klaus




More information about the sr-users mailing list