reSIProcate

Mailing Lists

Source Code

Google Search:



< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index  

Re: [reSIProcate] TLS client auth added

One other thing... there is now a wiki page for this too, it covers
client TLS, mutual TLS and server TLS in one place:


  https://www.resiprocate.org/TLSAuthentication




On 30/04/12 23:25, Daniel Pocock wrote:
> 
> 
> I've added TLS client cert authentication/authorization for resip, DUM
> and repro
> 
> It should be completely optional and behavior of the stack should not
> change unless it is explicitly enabled and/or configured
> 
> There are four possible TLS clients that come to mind:
> - Polycom phones will send a client cert if requested by TLS.  The cert
> contains the MAC address in the common name
> - Jitsi has a setting for it (I haven't tested it yet, but I can see a
> pull down menu for client certs in the SIP settings)
> - Lumicall will support it very soon
> - Using the command line tools `openssl s_client' or `gnutls-cli', you
> can pretend to be a TLS client, use any cert on your disk
> 
> There are two levels of checking:
> a) cert must be signed by a CA trusted by the stack
> b) the CN or one of the subjectAltName values must match the From:
> header of each SIP message on the TlsConnection
> 
> Examples:
> 
> Cert 1:
> common name = daniel@xxxxxxxxxxxxx
> => From: <daniel@xxxxxxxxxxxxx> is the only value that will pass
> 
> Cert 2:
> subjectAltName = pocock.com.au
> => From: <<anything>@pocock.com.au> will be accepted
> 
> Typically, case 1 is for a real client connection (e.g. Jitsi), case 2
> (whole domain) is for federated SIP proxy-to-proxy communication (RFC 5922)
> 
> Further notes:
> 
> - There is an optional hack to accept email certs as if they were
> sip-URI certs
> 
> - a further enhancement is needed to do mapping/translation of common
> names (e.g. for Polycom phones sending their MAC address in the cert) -
> this will probably be backed by the repro database and will require an
> async version of authorizedForThisIdentity()
> 
> 
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxx
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel