...
Applicability
User Agent A - - TLS -- — > proxy domainA -- domainA — Identity (TLS) -- — > proxy domainB -- domainB — Identity (TLS,UDP,TCP) -- — > User Agent B
TLS and Identity doesn't work together yet, ther there is some intermodule conflict. It was reported to developer.
Prerequisites
...
- Linux machine
...
- SER version 2.1 - Current cvs version
...
- Server certificate and private key in PEM fomrat
...
- CA list - list of trusted authorities in PEM format
- web server to allow others to download your certificate
Ser head cvs branch
No Format |
---|
export CVSROOT=:pserver:anonymous@cvs.berlios.de:/cvsroot/ser cvs co sip_router |
*Compiling of source*
Make everything
No Format |
---|
make group_include="standard" include_modules="tls auth_identity" all |
...
No Format |
---|
make group_include="standard" include_modules="tls auth_identity" install
|
You can adjust compiled modules by group_include, include_modules and exclude_modules parameters.
Print-modules parameter show set of modules that will compiled.
No Format |
---|
make group_include="standard" include_modules="tls auth_identity" print-modules
|
Configuration
...
It cvs version, if any other non-critical module make problmes, just remove him with exclude_modules="module_name1 module_name2"
Configuration
Edit your ser.cfg
Load the module
No Format |
---|
# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/ser/modules/auth_identity.so"
|
Set the parameters
No Format |
---|
# ----------------- setting module-specific parameters ---------------
modparam("auth_identity","privatekey_path","/etc/certs/key.pem")
modparam("auth_identity","certificate_path","/etc/certs/cert.pem")
modparam("auth_identity","cainfo_path","/etc/certs/ca_list.pem")
modparam("auth_identity","certificate_url","http://sip.domainA.net/cert.pem")
|
Add the identity
No Format |
---|
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
if (from_uri==myself) {
#insert authentication HERE
route(IDENTITY);
route(FORWARD);
}
else {sl_reply("400", "Not Relay");}
}
|
No Format |
---|
route[IDENTITY]
{
if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") {
# Identity and Identity-info headers must not exist
if (@identity) {
t_reply("403", "Invalid Identity header");
drop;
}
if (@identity_info) {
t_reply("403", "Invalid Identity-info header");
drop;
}
if (!auth_date_proc()) {
t_reply("403", "Invalid Date value");
drop;
}
if (!auth_add_identity()) {
t_reply("480", "Authentication error");
drop;
}
}
}
|
Verificator
No Format |
---|
if (uri==myself) {
if (@identity) {
route(VERIFY);
}
....
|
No Format |
---|
route[VERIFY]
{
# if we've already processed this message then we drop it
if (!t_newtran()) {
sl_reply("500", "Internal error newtran");
drop;
}
if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") {
# Identity and Identity-info are required for verification
if (!@identity) {
t_reply("428", "Use Identity Header");
drop;
}
if (!@identity_info) {
t_reply("436", "Bad Identity-Info");
drop;
}
if (!vrfy_check_date()) {
t_reply("403", "Outdated Date header value");
drop;
}
if (!vrfy_get_certificate()) {
t_reply("436", "Bad Identity-Info");
drop;
}
if (!vrfy_check_certificate()) {
t_reply("437", "Unsupported Certificate");
drop;
}
if (!vrfy_check_msgvalidity()) {
t_reply("438", "Invalid Identity Header");
drop;
}
if (!vrfy_check_callid()) {
t_reply("403", "Message is replayed");
drop;
}
}
}
|