Goal (short description)

Usage of SIP identity (RFC4474)

Applicability

User Agent A - TLS — > proxy domainA — Identity (TLS) — > proxy domainB — Identity (TLS,UDP,TCP) — > User Agent B

TLS and Identity doesn't work together yet, there is some intermodule conflict. It was reported to developer.

Prerequisites

  • Linux machine
  • SER version 2.1  - Current cvs version
  • Server certificate and private key in PEM fomrat
  • CA list - list of trusted authorities in PEM format
  • web server to allow others to download your certificate

Ser head cvs branch

export CVSROOT=:pserver:anonymous@cvs.berlios.de:/cvsroot/ser
cvs co sip_router

Compiling of source

Make everything

make group_include="standard" include_modules="tls auth_identity" all

Install it (and make before)

make group_include="standard" include_modules="tls auth_identity" install

You can adjust compiled modules by group_include, include_modules and exclude_modules parameters.
Print-modules parameter show set of modules that will compiled.

make group_include="standard" include_modules="tls auth_identity" print-modules

It cvs version, if any other non-critical module make problmes, just remove him with exclude_modules="module_name1 module_name2"

Configuration

Edit your ser.cfg

Load the module

# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/ser/modules/auth_identity.so"

Set the parameters

# ----------------- setting module-specific parameters ---------------
modparam("auth_identity","privatekey_path","/etc/certs/key.pem")
modparam("auth_identity","certificate_path","/etc/certs/cert.pem")
modparam("auth_identity","cainfo_path","/etc/certs/ca_list.pem")
modparam("auth_identity","certificate_url","http://sip.domainA.net/cert.pem")

Add the identity

if (!uri==myself) {
        # mark routing logic in request
          append_hf("P-hint: outbound\r\n");

          if (from_uri==myself) {
	  #insert authentication HERE
                route(IDENTITY);
	        route(FORWARD);
          }
          else {sl_reply("400", "Not Relay");}

}
route[IDENTITY]
{

if (method=="INVITE" || method=="BYE"   || method=="OPTION" || method=="ACK") {
     # Identity and Identity-info headers must not exist
		if (@identity) {
	                t_reply("403", "Invalid Identity header");
                        drop;
                }
                if (@identity_info) {
	                t_reply("403", "Invalid Identity-info header");
                        drop;
                }

                if (!auth_date_proc()) {
                        t_reply("403", "Invalid Date value");
                        drop;
                }

                if (!auth_add_identity()) {
                        t_reply("480", "Authentication error");
                        drop;
                }
	}
}

Verificator

if (uri==myself) {

       if (@identity) {
               route(VERIFY);
       }
....
route[VERIFY]
{
        # if we've already processed this message then we drop it
        if (!t_newtran()) {
                sl_reply("500", "Internal error newtran");
                drop;
        }
        if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") {
                # Identity and Identity-info are required for verification
                if (!@identity) {
                        t_reply("428", "Use Identity Header");
                        drop;
                }
                if (!@identity_info) {
                        t_reply("436", "Bad Identity-Info");
                        drop;
                }
                if (!vrfy_check_date()) {
                        t_reply("403", "Outdated Date header value");
                        drop;
                }
                if (!vrfy_get_certificate()) {
                        t_reply("436", "Bad Identity-Info");
                        drop;
                }
                if (!vrfy_check_certificate()) {
                        t_reply("437", "Unsupported Certificate");
                        drop;
                }
                if (!vrfy_check_msgvalidity()) {
                        t_reply("438", "Invalid Identity Header");
                        drop;
                }
                if (!vrfy_check_callid()) {
                        t_reply("403", "Message is replayed");
                        drop;
                }
        }
}

OS specific help

Validation, confirmation tests

  • No labels