25 May
2011
25 May
'11
3:31 p.m.
IƱaki Baz Castillo writes:
In order to implement it, I suggest the following
behaviour in sip-router:
- A client establishes a TLS session with sip-router.
- The client presents a TLS certificate.
- sip-router extracts the SIP identities of the certificate and stores
them, somehow, in attributes belonging to this TLS session (maybe
pseudovariables).
- In the logic script, it would be possible then to match the From
domain of the request (or whatever) against the list of SIP identities
in the certificate (so authentication is done).
inaki,
i do it simply by fetching client's (which may be another proxy too)
attributes from htable based on @tls.peer.subject.cn. one of the
attributes can be domain name and if so further attributes can be
fetched from domain_attrs table. very easy and has been worked fine so
far.
-- juha