[reSIProcate] TLS client auth added
I've added TLS client cert authentication/authorization for resip, DUM
and repro
It should be completely optional and behavior of the stack should not
change unless it is explicitly enabled and/or configured
There are four possible TLS clients that come to mind:
- Polycom phones will send a client cert if requested by TLS. The cert
contains the MAC address in the common name
- Jitsi has a setting for it (I haven't tested it yet, but I can see a
pull down menu for client certs in the SIP settings)
- Lumicall will support it very soon
- Using the command line tools `openssl s_client' or `gnutls-cli', you
can pretend to be a TLS client, use any cert on your disk
There are two levels of checking:
a) cert must be signed by a CA trusted by the stack
b) the CN or one of the subjectAltName values must match the From:
header of each SIP message on the TlsConnection
Examples:
Cert 1:
common name = daniel@xxxxxxxxxxxxx
=> From: <daniel@xxxxxxxxxxxxx> is the only value that will pass
Cert 2:
subjectAltName = pocock.com.au
=> From: <<anything>@pocock.com.au> will be accepted
Typically, case 1 is for a real client connection (e.g. Jitsi), case 2
(whole domain) is for federated SIP proxy-to-proxy communication (RFC 5922)
Further notes:
- There is an optional hack to accept email certs as if they were
sip-URI certs
- a further enhancement is needed to do mapping/translation of common
names (e.g. for Polycom phones sending their MAC address in the cert) -
this will probably be backed by the repro database and will require an
async version of authorizedForThisIdentity()