[SR-Users] TLS
Daniel-Constantin Mierla
miconda at gmail.com
Wed May 22 11:19:42 CEST 2013
Hello,
On 5/21/13 9:02 AM, Klaus Darilion wrote:
>
>
> On 20.05.2013 21:27, Moacir Ferreira wrote:
>> I would appreciate some help on the following questions I have:
>>
>> - If I use TLS mutual authentication, do I still need a subscriber
>> password or the TLS successful mutual session setup will assume that the
>> client is "trusted" so it can register what it is asking to register?
>
> Indeed. The TLS-layer only checks the validity of the client
> certificate. Thus, before calling save() (or setting up a call) you
> need to check manually that a user is allowed to use a certain
> identity in From/To headers.
>
> This means, that have to check the user-id in the TLS certificate
> against the user-id in the SIP message. For example if the client
> certificates have the SIP username as common name:
>
> if (@tls.peer.subj.cn != $fu) {
> sl_send_reply("403");
> }
>
> Verify To header for REGISTER, R-URI for PUBLISH, and From header for
> all others.
>
> Available TLS variables:
> http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls
>
There can be the option of using a particular root certificate for
signing client certificate and then accept only those certificates.
This allows accepting traffic even without prior knowledge of the
username (e.g., common case for downloading a branded app after creating
an account on some portal/service). In this case is no need to check the
headers, all traffic from trusted certificates is ok.
>
>> - For large deployments, can I issue a single certificate and install it
>> on all my telephone sets making them "trusted" to me or I need one
>> certificate per telephone/subscriber?
>
> It depends. If you want to rely purely on TLS for authentication
> (using MTLS as described above) then you need dedicated certificates
> for each client.
>
> Actually I do not know a SIP client which supports TLS client
> certficates. Therefore the usually used approach is TLS without client
> certificates and SIP-based authentication (username+pw).
Jitsi supports it for at least few years, I used it. Also, there are
some hard phones doing it now (like cisco, yealink, aastra, iirc).
>
>>
>> - Anyway, can you share your "good practices" advises for large
>> deployment?
>>
>> - Finally, do you know any free softphone that implements mutual TLS
>> authentication?
>
> I am not aware of any.
Like the softphone authenticating the server based on server certificate?
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, San Francisco, USA - June 24-27, 2013
* http://asipto.com/u/katu *
More information about the sr-users
mailing list