3 Jan
2007
3 Jan
'07
3:09 p.m.
Hello,
I have a few questions about how to secure SIP messages...
IPSec or TLS can be used to guarantee privacy, integrity and
authenticity of transmitted data. But SIP is only payload/data for
these protocols.
Digest Authentication does only guarantee authenticity...
S/MIME seems to be interesting but I don't know any implementation in
a SIP client.
My questions:
- Is there any mechanism that prevents me from corrupting or faking
SIP messages?
- Is it possible to create a kind of binding between the certificates
used for TLS/IPSec and the SIP accounts?
Thanks for your answers...
Best regards,
Steffen
3 Jan
3 Jan
6:23 p.m.
Steffen Witt wrote:
Hello,
I have a few questions about how to secure SIP messages...
IPSec or TLS can be used to guarantee privacy, integrity and
authenticity of transmitted data. But SIP is only payload/data for
these protocols.
Digest Authentication does only guarantee authenticity...
S/MIME seems to be interesting but I don't know any implementation in
a SIP client.
My questions:
- Is there any mechanism that prevents me from corrupting or faking
SIP messages?
What do you want? Do you want to manipulate SIP messages or do you want
that nobody can manipulate your SIP messages?
- Is it possible to create a kind of binding between
the certificates
used for TLS/IPSec and the SIP accounts?
Not for IPsec as IPsec is not in the application. Thus, the application
has no access to any IPsec settings - it even does not know if a message
is sent via IPsec or not.
Regarding TLS: Usually you use TLS for encryption and digest for
authentication.
Using TLS certificates for clients is not that simple. You can't use
host certificates as the IP address and hostnames of the clients will
change. Thus, the TLS certificate must be for a sip URI (for details see
RFC 3261). Then you could use the pseudo variable exported by tlsops
module to compare the certificate parameter against the From: URI. This
will work for incoming requests, but not for outgoing requests (when you
want to compare the certificate name against the To or Request URI)
regards
klaus
Thanks for your answers...
Best regards,
Steffen
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
--
Klaus Darilion
nic.at
4 Jan
4 Jan
10:54 a.m.
Hello,
I want to prevent manipulation of SIP messages.
Thanks for the info.
Best regards,
Steffen
My questions:
- Is there any mechanism that prevents me from corrupting or faking
SIP messages?
What do you want? Do you want to manipulate SIP messages or do you want
that nobody can manipulate your SIP messages? - Is it
possible to create a kind of binding between the certificates
used for TLS/IPSec and the SIP accounts?
Not for IPsec as IPsec is not in the application. Thus, the application
has no access to any IPsec settings - it even does not know if a message
is sent via IPsec or not.
Regarding TLS: Usually you use TLS for encryption and digest for
authentication.
Using TLS certificates for clients is not that simple. You can't use
host certificates as the IP address and hostnames of the clients will
change. Thus, the TLS certificate must be for a sip URI (for details see
RFC 3261). Then you could use the pseudo variable exported by tlsops
module to compare the certificate parameter against the From: URI. This
will work for incoming requests, but not for outgoing requests (when you
want to compare the certificate name against the To or Request URI)
12:46 p.m.
Steffen Witt wrote:
Thanks for the info.
Best regards,
Steffen
--
Klaus Darilion
nic.at
Hello,
I want to prevent manipulation of SIP messages.
Then use TLS for encryption of the SIP signaling, and for authentication
of the SIP proxy to the client. To authenticate the client against the
SIP proxy you still need digest authentication.
regards
klaus
My
questions:
- Is there any mechanism that prevents me from corrupting or faking
SIP messages?
What do you want? Do you want to manipulate SIP messages or do you want
that nobody can manipulate your SIP messages? - Is it
possible to create a kind of binding between the certificates
used for TLS/IPSec and the SIP accounts?
Not for IPsec as IPsec is not in the application. Thus, the application
has no access to any IPsec settings - it even does not know if a message
is sent via IPsec or not.
Regarding TLS: Usually you use TLS for encryption and digest for
authentication.
Using TLS certificates for clients is not that simple. You can't use
host certificates as the IP address and hostnames of the clients will
change. Thus, the TLS certificate must be for a sip URI (for details see
RFC 3261). Then you could use the pseudo variable exported by tlsops
module to compare the certificate parameter against the From: URI. This
will work for incoming requests, but not for outgoing requests (when you
want to compare the certificate name against the To or Request URI)
6532
days inactive
6533
days old
3 comments
2 participants
participants (2)
-
Klaus Darilion -
Steffen Witt