repro servers peer with each other in a federated manner just like SMTP servers for email, but using TLS mutual authentication to prevent impersonation.
Kamailio has TLS support and should be able to talk to such servers and other Kamailio servers in the same way.
It would be good to create a recommended sample configuration for this type of service and also add it to the RTC Quick Start Guide: http://rtcquickstart.org/guide/multi/sip-proxy.html
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531
What is the issue with the current TLS sample?
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531#issuecomment-192903422
Which example? In the modules/tls directory I saw these: https://github.com/kamailio/kamailio/blob/master/modules/tls/sip-router-tls.... https://github.com/kamailio/kamailio/blob/master/modules/tls/tls.cfg and they are very brief. Is there a more complete example somewhere else showing how to verify the client certificate ```subjectAltName``` or ```CN``` matches the ```From``` header of an incoming request?
In the manual: http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.quick_start - this quick start section is very brief
http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.p.tls_method - ```tls_method``` documentation isn't clear. ```SSLv23_method``` is actually a very good default and does not actually enable SSL 3.0 or below unless those are explicitly compiled into OpenSSL. This should really be emphasized.
http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.p.require_certif... http://kamailio.org/docs/modules/4.3.x/modules/tls.html#tls.f.is_peer_verfie... - ```require_certificate``` and ```is_peer_verified``` are explained very briefly. Should ```is_peer_verified``` take an argument perhaps, to verify that the peer is verified for a specific URI or domain?
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531#issuecomment-192922193
That is Good feedback. Thank you. We will updates the docs
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531#issuecomment-192922893
And cn is not the preferred match as you know ;-)
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531#issuecomment-192922936
On the ```SSLv23_method``` thing, some more verbose analysis is on the reSIProcate mailing list http://list.resiprocate.org/archive/resiprocate-devel/msg08801.html
Once there is a specific example with ```From``` header validation and it is in the Debian and Fedora packages, would you like to contribute a pull request about it for the RTC Quick Start Guide?
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531#issuecomment-192926050
Updated the title to indicate what needs to be changed in Kamailio.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/531#issuecomment-204268174
Over the time there were several improvements to the tls docs. I just did some updates to overview/getting started, to refer to the fact that default kamailio.cfg has tls inside and needs to be enabled via #!define WITH_TLS. The provided tls.cfg has more examples of profiles. tls method doc section is listing now all available options for it.
I am closing this issue, if something else is wanted, open a new one with what is (still) missing/should be added.
Closed #531.
-
Daniel Pocock -
Daniel-Constantin Mierla
-
Olle E. Johansson