[Users] user authentication with certificate

Girish Nayak girish at isphone.net
Fri Oct 14 15:36:06 CEST 2005


i understand, minisip softphone can initiate TLS connection.
and it can be authenticated by the openser via digest authentication.

is it possible to use certificate instead of digest authentication?
-- 
Girish 


On Fri, 2005-10-14 at 08:28 +0000, users-request at openser.org wrote:
> Send Users mailing list submissions to
> 	users at openser.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://openser.org/cgi-bin/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> 	users-request at openser.org
> 
> You can reach the person managing the list at
> 	users-owner at openser.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Re: [Serusers] trusting peers (Juha Heinanen)
>    2. Re: different tables for acc (Klaus Darilion)
>    3. Re: Improving TLS implementation (Cesc)
>    4. Re: Improving TLS implementation (Juha Heinanen)
>    5. Softphones compatible with Openser/TLS (Joonbum Byun)
>    6. Re: Softphones compatible with Openser/TLS (Klaus Darilion)
>    7. Re: Softphones compatible with Openser/TLS (Cesc)
>    8. Re: BYE method accompanied by error (Daniel-Constantin Mierla)
>    9. Re: How to do RADIUS authentication with hashed password	(MD5
>       or HA1)? (Bogdan-Andrei Iancu)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 13 Oct 2005 13:55:37 +0300
> From: Juha Heinanen <jh at tutpro.com>
> Subject: Re: [Users] Re: [Serusers] trusting peers
> To: Klaus Darilion <klaus.mailinglists at pernau.at>
> Cc: Nils Ohlmeier <lists at ohlmeier.org>, serusers at iptel.org,	Jan Janak
> 	<jan at iptel.org>, "users openser.org" <users at openser.org>
> Message-ID: <17230.15657.441146.200770 at rautu.tutpro.com>
> Content-Type: text/plain; charset=us-ascii
> 
> Klaus Darilion writes:
> 
>  > e.g. simmilar to allow_trusted, but using the domain form the 
>  > certificate instead of using src_ip.
> 
> yes, it would be easy to add such a check to permissions module.
> 
> -- juha
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 13 Oct 2005 14:30:46 +0200
> From: Klaus Darilion <klaus.mailinglists at pernau.at>
> Subject: Re: [Users] different tables for acc
> To: jayesh nambiar <jayesh_1017 at yahoo.com>
> Cc: SER <users at openser.org>
> Message-ID: <434E5376.2000902 at pernau.at>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> No. Only one table for all costumers.
> 
> klaus
> 
> jayesh nambiar wrote:
> > hi all,
> > I came to kno about the parameter modparam("acc", "db_table_acc", 
> > "acc_table").
> > Does this mean that I can have different acc tables for my different 
> > type of customers. Is this possible.
> > If yes, then how? If i declare the appropriate flag and then use setflag 
> > at the places i want to account, will it work.
> > Can someone please explain it to me. Any suggestions would help me a lot.
> > Thanx
> > jayesh
> > 
> > ------------------------------------------------------------------------
> > Yahoo! Music Unlimited - Access over 1 million songs. Try it free. 
> > <http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/> 
> > 
> > 
> > 
> > ------------------------------------------------------------------------
> > 
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 13 Oct 2005 14:53:25 +0200
> From: Cesc <cesc.santa at gmail.com>
> Subject: Re: [Users] Improving TLS implementation
> To: Juha Heinanen <jh at tutpro.com>
> Cc: SER-Users <serusers at iptel.org>, OpenSER-users <users at openser.org>
> Message-ID:
> 	<ce8208420510130553r371591aeib5f43a7674b109b at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi Juha,
>  Well, that is true, but what do you propose then? just present a host cert
> and nothing else? I would say that if the company trust the hosting for
> running the service, a mere certficate should not be the problem, should it?
>  Cesc
> 
>  On 10/13/05, Juha Heinanen <jh at tutpro.com> wrote:
> >
> > cesc,
> >
> > you made a good summary, but in multi-domain case, it is not just a
> > technical problem on how to present or offer a domain specific
> > certificate. in order to be able to do that, the domains have to
> > surrender their private keying information to a provider that currently
> > happens to host their sip service, and to another provider that hosts
> > their web service, and to third provider that hosts their e-commerce
> > service, etc.
> >
> > in most cases, this is simply out of question. companies are not going
> > to do it.
> >
> > -- juha
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://openser.org/pipermail/users/attachments/20051013/ba119f0d/attachment-0001.html
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 13 Oct 2005 16:00:34 +0300
> From: Juha Heinanen <jh at tutpro.com>
> Subject: Re: [Users] Improving TLS implementation
> To: Cesc <cesc.santa at gmail.com>
> Cc: SER-Users <serusers at iptel.org>, OpenSER-users <users at openser.org>
> Message-ID: <17230.23154.109583.123270 at rautu.tutpro.com>
> Content-Type: text/plain; charset=us-ascii
> 
> Cesc writes:
> 
>  >  Well, that is true, but what do you propose then? just present a host cert
>  > and nothing else? 
> 
> yes.  
> 
>  > I would say that if the company trust the hosting for
>  > running the service, a mere certficate should not be the problem,
>  > should it?
> 
> it would be if the company uses the same domain certificate also for
> other things, like e-commerce.
> 
> -- juha
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 13 Oct 2005 10:46:44 -0400
> From: "Joonbum Byun" <jbyun at qovia.com>
> Subject: [Users] Softphones compatible with Openser/TLS
> To: <users at openser.org>
> Message-ID:
> 	<A8F302FE10019948AAF281B06FB908D72950E0 at exchange.qovia.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> Skipped content of type multipart/alternative-------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Joonbum Byun.vcf
> Type: text/x-vcard
> Size: 129 bytes
> Desc: Joonbum Byun.vcf
> Url : http://openser.org/pipermail/users/attachments/20051013/95a62779/JoonbumByun-0001.vcf
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 13 Oct 2005 21:23:55 +0200
> From: Klaus Darilion <klaus.mailinglists at pernau.at>
> Subject: Re: [Users] Softphones compatible with Openser/TLS
> To: Joonbum Byun <jbyun at qovia.com>
> Cc: users at openser.org
> Message-ID: <434EB44B.8040800 at pernau.at>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> I only know minisip and Windows Messenger (never tried one of them)
> 
> klaus
> 
> Joonbum Byun wrote:
> > Hi;
> > 
> >  
> > 
> > Id like to set up a SIP network secured by TLS in my lab.
> > 
> >  
> > 
> > Would anyone please let me know if open source soft-phone is available 
> > compatible with TLS enabled Openser? Any suggestions on soft-phones or 
> > success stories are greatly appreciated.
> > 
> >  
> > 
> > Thanks,
> > 
> >  
> > 
> > Joon
> > 
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> 
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Fri, 14 Oct 2005 01:00:34 +0200
> From: Cesc <cesc.santa at gmail.com>
> Subject: Re: [Users] Softphones compatible with Openser/TLS
> To: Klaus Darilion <klaus.mailinglists at pernau.at>
> Cc: Joonbum Byun <jbyun at qovia.com>, users at openser.org
> Message-ID:
> 	<ce8208420510131600l47f91125i9df215a3c7b95ee1 at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I've never tried wmessenger either, but minisip does work.
> As for hardphones, i think snoms can do tls, though only
> server-authentication (no client/phone authentication).
> 
> Cesc
> 
> On 10/13/05, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> >
> > I only know minisip and Windows Messenger (never tried one of them)
> >
> > klaus
> >
> > Joonbum Byun wrote:
> > > Hi;
> > >
> > >
> > >
> > > I'd like to set up a SIP network secured by TLS in my lab.
> > >
> > >
> > >
> > > Would anyone please let me know if open source soft-phone is available
> > > compatible with TLS enabled Openser? Any suggestions on soft-phones or
> > > success stories are greatly appreciated.
> > >
> > >
> > >
> > > Thanks,
> > >
> > >
> > >
> > > Joon
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openser.org
> > > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://openser.org/pipermail/users/attachments/20051014/0b15939a/attachment-0001.htm
> 
> ------------------------------
> 
> Message: 8
> Date: Fri, 14 Oct 2005 09:24:18 +0300
> From: Daniel-Constantin Mierla <daniel at voice-system.ro>
> Subject: Re: [Users] BYE method accompanied by error
> To: Sam Lee <Sam at super.net.sg>
> Cc: users at openser.org
> Message-ID: <434F4F12.1030001 at voice-system.ro>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> It seems that the gateway does not like the BYE, maybe there are some 
> bad header values there. Anyhow, you can account failed transactions too 
> (see failed_transaction_flag parameter of acc module), or just use 
> acc_db_request() function for BYEs.
> 
> Cheers,
> Daniel
> 
>  
> On 10/13/05 05:30, Sam Lee wrote:
> > Any help I can get on this one ?
> >
> > Sam
> >
> > -----Original Message-----
> > From: users-bounces at openser.org [mailto:users-bounces at openser.org] On
> > Behalf Of Sam Lee
> > Sent: Wednesday, October 12, 2005 3:27 PM
> > To: Iqbal; users at openser.org
> > Subject: RE: [Users] BYE method accompanied by error
> >
> > I have checked that the phones have not received a prior BYE. Any other
> > idea what is wrong ?
> >
> > Here's a more detailed situation :-
> >
> > Caller (PSTN) --> Voice Gateway --> OPENSER --> Callee (UA)
> >
> > When Callee (UA) tried to end the call , OPENSER will forward a copy of
> > the BYE to Voice Gateway to inform him of the BYE.
> > The Gateway , somehow , replied with a 'Call Leg/Transaction Does Not
> > Exist' . The strange thing is, the Caller (PSTN) was somehow informed of
> > the BYE method and terminate the session . Anyone has any idea how to
> > handle these errors ? I will be glad to provide a ngrep for more
> > reference.
> >
> > Regards,
> > Sam
> >
> > -----Original Message-----
> > From: users-bounces at openser.org [mailto:users-bounces at openser.org] On
> > Behalf Of Iqbal
> > Sent: Tuesday, October 11, 2005 7:35 PM
> > To: Sam Lee
> > Cc: users at openser.org
> > Subject: Re: [Users] BYE method accompanied by error
> >
> > Can you check to see if you have already received a BYE for that call,
> > some phones I had were sending there own Bye's after the GW had
> >
> > Iqbal
> >
> > Sam Lee wrote:
> >
> >   
> >> Hi all,
> >>  
> >> I would like to know why does my BYE method are always replied with a 
> >> 'Call Leg/Transaction does not exist' . How do they compare whether 
> >> the transaction in the BYE method exist or not ? ( tag? ftag ? ) Are 
> >> there any thing in the config that might cause this kind of problem ?
> >> Just want to highlight that all the calls are made in a good 
> >> condition, everything except when the call is ending.
> >>
> >> Please let me know if you dont understand.
> >>  
> >> Regards,
> >> Sam
> >>
> >> -----------------------------------------------------------------------
> >> -
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>  
> >>
> >>     
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >   
> 
> 
> 
> ------------------------------
> 
> Message: 9
> Date: Fri, 14 Oct 2005 11:27:58 +0300
> From: Bogdan-Andrei Iancu <bogdan at voice-system.ro>
> Subject: Re: [Users] How to do RADIUS authentication with hashed
> 	password	(MD5	or HA1)?
> To: Cheng Zhang <czhang.cmu at gmail.com>
> Cc: users at openser.org
> Message-ID: <434F6C0E.9020402 at voice-system.ro>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hi Cheng,
> 
> if this patch solved your problem, can you please summit a short 
> description of the problem and its solution on the RADIUS wiki?
>     http://openser.org/dokuwiki/doku.php?id=radius
> 
> thanks and regards,
> bogdan
> 
> Cheng Zhang wrote:
> 
> >Fortunately Philippe Sultan on freeradius-users list has a patch to
> >solve my problem.
> >
> >Philippe's reply is attached below:
> >------ Forwarded Message
> >From: Philippe Sultan <philippe.sultan at gmail.com>
> >Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> >Date: Wed, 12 Oct 2005 09:50:35 +0200
> >To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> >Subject: Re: Question on FreeRADIUS digest authentication with SIP proxy
> >
> >Hi, Chen.
> >
> >There is ongoing discussion on this topic :
> >
> >http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.html
> >
> >You might also want to check this, for information related to digest
> >authentication with RADIUS and LDAP :
> >
> >http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> >
> >Bye,
> >
> >Philippe
> >------ End of Forwarded Message
> >
> >I tested Philippe's patch and it works for me. :-)
> >For people using Gentoo, I created this enhancement bug (
> >http://bugs.gentoo.org/show_bug.cgi?id=109003) to help out a bit.
> >
> >-- Cheng
> >
> >
> >On 10/12/05, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> >  
> >
> >>Hi Cheng,
> >>
> >>I'm not a RADIUS expert, but AFAIK only textplain passwords are
> >>supported by RADIUS.
> >>
> >>regards,
> >>Bogdan
> >>    
> >>
> >>------------------------------------------------------------------------
> >>
> >>_______________________________________________
> >>Users mailing list
> >>Users at openser.org
> >>http://openser.org/cgi-bin/mailman/listinfo/users
> >>    
> >>
> 
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
> 
> 
> End of Users Digest, Vol 5, Issue 35
> ************************************
-- 
Girish Nayak
(231) 392 5695 extn:184






More information about the Users mailing list