Hello,
you can set the ca_list file with those ca certificates you want to accept:
http://kamailio.org/docs/modules/stable/modules/tls.html#ca_list
Alternative, you accept all certificates and then use pv conditions to see and restrict the access based on who signed/emitted the client certificate.
Cheers, Daniel
On 5/27/13 10:59 PM, Moacir Ferreira wrote:
Thanks for the clarifications.
Now, when we ask the client to have a certificate, where do we control what client certificates will be accepted? I.e.: I don't want any valid certificate to authentcate but only those ones I accept as valid.
Moacir
Date: Thu, 23 May 2013 10:34:09 +0200 From: klaus.mailinglists@pernau.at To: miconda@gmail.com; sr-users@lists.sip-router.org Subject: Re: [SR-Users] TLS
On 22.05.2013 11:19, Daniel-Constantin Mierla wrote:
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
Like the softphone authenticating the server based on server
certificate?
MTLS just means, that the TLS server requires a certificate from the
TLS
client. Thus, between SIP clients and SIP server this merely means that not only the client authenticates the proxy, but the proxy also authenticates the client based on the client's TLS certificate.
Nice that Jitsi supports it - although I failed to configure Jitsi :-) If someone fails configuring TLS for Jitsi, see this howto:
http://www.resiprocate.org/ReproMutualTLSAuthenticationJitsi#Setting_up_Jits...
I just found out that my QjSimple [1] also supports client
certificates :-)
regards Klaus
[1] http://www.ipcom.at/en/telephony/qjsimple/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users