The certificate configured at Kamailio is the 'server' certificate. The client certificate will be configured in the SIP client (e.g. the SIP phone).
The [server] section will require a client certificate from the softphone if require_certificate=yes. It will also validate the client certificate against the local configured valid ca_list by using verify_certificate=yes. If now a SIP message enters the routing script and it was received by TLS you know that the sip phone sent a clietn certificate which could be validated with the ca_list. now, if you want to differ softphones you have to take a look at the certificate parameters, e.g. using select framework: http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls e.g. if ( @tls.peer.subject.cn == "George Bush") ... regards Klaus Am 09.02.2011 17:39, schrieb Daniel GROTTI: > Hi all, > I would like to use kamailio 3.1 with TLS and verified also a client > certificate. > > My tls.cfg file is as follow: > > > --- tls.cfg ---- > > ..... > ..... > > [server:MY_IP:5061] > method = TLSv1 > verify_certificate = yes > require_certificate = yes > private_key = default_key.pem > certificate = default_cert.pem > ca_list = default_ca.pem > > [client:default] > verify_certificate = no > require_certificate = no > > .... > .... > > > So I want to verify the client certificate, to do that I use > "is_peer_verified()" function in kamailio.cfg. > As tls.cfg shows, I have to send to my clients the CA certificate and > the client certificate (default_cert.pem + default_key.pem - signing > by the CAcert). > This client certificate is unique for all clients. > Everything works fine. > > But suppose I wanted to create a client certificate for client 1 > (cert_1.crt), and a different client certificate for client 2 > (cert_2.crt) and I want to configure kamailio to be able to verified > this different certificates. > > Does it possible ? How can I configure the tls.cfg file to do that ? > > I try to do something like this: > > [server:MY_IP:5061] > method = TLSv1 > verify_certificate = yes > require_certificate = yes > private_key = default_key_1.pem > certificate = default_cert_1.pem > private_key = default_key_2.pem > certificate = default_cert_2.pem > ca_list = default_ca.pem > > > But when kamailio restart it seems that it read only the last couple > of row certifcate/private_key. > > Regards, > > > Daniel G > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
