I would appreciate some help on the following questions I have:
- If I use TLS mutual authentication, do I still need a subscriber password or the TLS successful mutual session setup will assume that the client is "trusted" so it can register what it is asking to register?
- For large deployments, can I issue a single certificate and install it on all my telephone sets making them "trusted" to me or I need one certificate per telephone/subscriber?
- Anyway, can you share your "good practices" advises for large deployment?
- Finally, do you know any free softphone that implements mutual TLS authentication?
Thanks,
Moacir
On 20.05.2013 21:27, Moacir Ferreira wrote:
I would appreciate some help on the following questions I have:
- If I use TLS mutual authentication, do I still need a subscriber
password or the TLS successful mutual session setup will assume that the client is "trusted" so it can register what it is asking to register?
Indeed. The TLS-layer only checks the validity of the client certificate. Thus, before calling save() (or setting up a call) you need to check manually that a user is allowed to use a certain identity in From/To headers.
This means, that have to check the user-id in the TLS certificate against the user-id in the SIP message. For example if the client certificates have the SIP username as common name:
if (@tls.peer.subj.cn != $fu) { sl_send_reply("403"); }
Verify To header for REGISTER, R-URI for PUBLISH, and From header for all others.
Available TLS variables: http://sip-router.org/docbook/sip-router/branch/master/select_list/select_li...
- For large deployments, can I issue a single certificate and install it
on all my telephone sets making them "trusted" to me or I need one certificate per telephone/subscriber?
It depends. If you want to rely purely on TLS for authentication (using MTLS as described above) then you need dedicated certificates for each client.
Actually I do not know a SIP client which supports TLS client certficates. Therefore the usually used approach is TLS without client certificates and SIP-based authentication (username+pw).
Anyway, can you share your "good practices" advises for large deployment?
Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
regards Klaus
Hello,
On 5/21/13 9:02 AM, Klaus Darilion wrote:
On 20.05.2013 21:27, Moacir Ferreira wrote:
I would appreciate some help on the following questions I have:
- If I use TLS mutual authentication, do I still need a subscriber
password or the TLS successful mutual session setup will assume that the client is "trusted" so it can register what it is asking to register?
Indeed. The TLS-layer only checks the validity of the client certificate. Thus, before calling save() (or setting up a call) you need to check manually that a user is allowed to use a certain identity in From/To headers.
This means, that have to check the user-id in the TLS certificate against the user-id in the SIP message. For example if the client certificates have the SIP username as common name:
if (@tls.peer.subj.cn != $fu) { sl_send_reply("403"); }
Verify To header for REGISTER, R-URI for PUBLISH, and From header for all others.
Available TLS variables: http://sip-router.org/docbook/sip-router/branch/master/select_list/select_li...
There can be the option of using a particular root certificate for signing client certificate and then accept only those certificates.
This allows accepting traffic even without prior knowledge of the username (e.g., common case for downloading a branded app after creating an account on some portal/service). In this case is no need to check the headers, all traffic from trusted certificates is ok.
- For large deployments, can I issue a single certificate and install it
on all my telephone sets making them "trusted" to me or I need one certificate per telephone/subscriber?
It depends. If you want to rely purely on TLS for authentication (using MTLS as described above) then you need dedicated certificates for each client.
Actually I do not know a SIP client which supports TLS client certficates. Therefore the usually used approach is TLS without client certificates and SIP-based authentication (username+pw).
Jitsi supports it for at least few years, I used it. Also, there are some hard phones doing it now (like cisco, yealink, aastra, iirc).
- Anyway, can you share your "good practices" advises for large
deployment?
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
Like the softphone authenticating the server based on server certificate?
Cheers, Daniel
On 22.05.2013 11:19, Daniel-Constantin Mierla wrote:
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
Like the softphone authenticating the server based on server certificate?
MTLS just means, that the TLS server requires a certificate from the TLS client. Thus, between SIP clients and SIP server this merely means that not only the client authenticates the proxy, but the proxy also authenticates the client based on the client's TLS certificate.
Nice that Jitsi supports it - although I failed to configure Jitsi :-) If someone fails configuring TLS for Jitsi, see this howto: http://www.resiprocate.org/ReproMutualTLSAuthenticationJitsi#Setting_up_Jits...
I just found out that my QjSimple [1] also supports client certificates :-)
regards Klaus
Thanks for the clarifications.
Now, when we ask the client to have a certificate, where do we control what client certificates will be accepted? I.e.: I don't want any valid certificate to authentcate but only those ones I accept as valid.
Moacir
Date: Thu, 23 May 2013 10:34:09 +0200 From: klaus.mailinglists@pernau.at To: miconda@gmail.com; sr-users@lists.sip-router.org Subject: Re: [SR-Users] TLS
On 22.05.2013 11:19, Daniel-Constantin Mierla wrote:
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
Like the softphone authenticating the server based on server certificate?
MTLS just means, that the TLS server requires a certificate from the TLS client. Thus, between SIP clients and SIP server this merely means that not only the client authenticates the proxy, but the proxy also authenticates the client based on the client's TLS certificate.
Nice that Jitsi supports it - although I failed to configure Jitsi :-) If someone fails configuring TLS for Jitsi, see this howto: http://www.resiprocate.org/ReproMutualTLSAuthenticationJitsi#Setting_up_Jits...
I just found out that my QjSimple [1] also supports client certificates :-)
regards Klaus
[1] http://www.ipcom.at/en/telephony/qjsimple/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
you can set the ca_list file with those ca certificates you want to accept:
http://kamailio.org/docs/modules/stable/modules/tls.html#ca_list
Alternative, you accept all certificates and then use pv conditions to see and restrict the access based on who signed/emitted the client certificate.
Cheers, Daniel
On 5/27/13 10:59 PM, Moacir Ferreira wrote:
Thanks for the clarifications.
Now, when we ask the client to have a certificate, where do we control what client certificates will be accepted? I.e.: I don't want any valid certificate to authentcate but only those ones I accept as valid.
Moacir
Date: Thu, 23 May 2013 10:34:09 +0200 From: klaus.mailinglists@pernau.at To: miconda@gmail.com; sr-users@lists.sip-router.org Subject: Re: [SR-Users] TLS
On 22.05.2013 11:19, Daniel-Constantin Mierla wrote:
- Finally, do you know any free softphone that implements mutual TLS
authentication?
I am not aware of any.
Like the softphone authenticating the server based on server
certificate?
MTLS just means, that the TLS server requires a certificate from the
TLS
client. Thus, between SIP clients and SIP server this merely means that not only the client authenticates the proxy, but the proxy also authenticates the client based on the client's TLS certificate.
Nice that Jitsi supports it - although I failed to configure Jitsi :-) If someone fails configuring TLS for Jitsi, see this howto:
http://www.resiprocate.org/ReproMutualTLSAuthenticationJitsi#Setting_up_Jits...
I just found out that my QjSimple [1] also supports client
certificates :-)
regards Klaus
[1] http://www.ipcom.at/en/telephony/qjsimple/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Klaus Darilion -
Moacir Ferreira