[SR-Users] TLS

Daniel-Constantin Mierla miconda at gmail.com
Wed May 22 11:19:42 CEST 2013 

Hello,

On 5/21/13 9:02 AM, Klaus Darilion wrote:
>
>
> On 20.05.2013 21:27, Moacir Ferreira wrote:
>> I would appreciate some help on the following questions I have:
>>
>> - If I use TLS mutual authentication, do I still need a subscriber
>> password or the TLS successful mutual session setup will assume that the
>> client is "trusted" so it can register what it is asking to register?
>
> Indeed. The TLS-layer only checks the validity of the client 
> certificate. Thus, before calling save() (or setting up a call) you 
> need to check manually that a user is allowed to use a certain 
> identity in From/To headers.
>
> This means, that have to check the user-id in the TLS certificate 
> against the user-id in the SIP message. For example if the client 
> certificates have the SIP username as common name:
>
> if (@tls.peer.subj.cn != $fu) {
>   sl_send_reply("403");
> }
>
> Verify To header for REGISTER, R-URI for PUBLISH, and From header for 
> all others.
>
> Available TLS variables:
> http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls 
>

There can be the option of using a particular root certificate for 
signing client certificate and then accept only those certificates.

This allows accepting traffic even without prior knowledge of the 
username (e.g., common case for downloading a branded app after creating 
an account on some portal/service). In this case is no need to check the 
headers, all traffic from trusted certificates is ok.


>
>> - For large deployments, can I issue a single certificate and install it
>> on all my telephone sets making them "trusted" to me or I need one
>> certificate per telephone/subscriber?
>
> It depends. If you want to rely purely on TLS for authentication 
> (using MTLS as described above) then you need dedicated certificates 
> for each client.
>
> Actually I do not know a SIP client which supports TLS client 
> certficates. Therefore the usually used approach is TLS without client 
> certificates and SIP-based authentication (username+pw).
Jitsi supports it for at least few years, I used it. Also, there are 
some hard phones doing it now (like cisco, yealink, aastra, iirc).
>
>>
>> - Anyway, can you share your "good practices" advises for large 
>> deployment?
>>
>> - Finally, do you know any free softphone that implements mutual TLS
>> authentication?
>
> I am not aware of any.

Like the softphone authenticating the server based on server certificate?

Cheers,
Daniel

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, San Francisco, USA - June 24-27, 2013
   * http://asipto.com/u/katu *

More information about the sr-users mailing list