On 20.05.2013 21:27, Moacir Ferreira wrote:
I would appreciate some help on the following questions I have:
- If I use TLS mutual authentication, do I still need a subscriber
password or the TLS successful mutual session setup will assume that the
client is "trusted" so it can register what it is asking to register?
Indeed. The TLS-layer only checks the validity of the client
certificate. Thus, before calling save() (or setting up a call) you need
to check manually that a user is allowed to use a certain identity in
From/To headers.
This means, that have to check the user-id in the TLS certificate
against the user-id in the SIP message. For example if the client
certificates have the SIP username as common name:
if (@tls.peer.subj.cn != $fu) {
sl_send_reply("403");
}
Verify To header for REGISTER, R-URI for PUBLISH, and From header for
all others.
Available TLS variables:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html#select_list.tls
- For large deployments, can I issue a single certificate and install it
on all my telephone sets making them "trusted" to me or I need one
certificate per telephone/subscriber?
It depends. If you want to rely purely on TLS for authentication (using
MTLS as described above) then you need dedicated certificates for each
client.
Actually I do not know a SIP client which supports TLS client
certficates. Therefore the usually used approach is TLS without client
certificates and SIP-based authentication (username+pw).
- Anyway, can you share your "good practices" advises for large deployment?
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
regards
Klaus
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
