Versions Compared

Old Version 6

changes.mady.by.user Unknown User (jan)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (jan)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Applicability

User Agent A - TLS — > proxy domainA — Identity (TLS) — > proxy domainB — Identity (TLS,UDP,TCP) — > User Agent B

TLS and Identity doesn't work together yet, ther there is some intermodule conflict. It was reported to developer.

Prerequisites

  • Linux machine
  • SER version 2.1  - Current cvs version
  • Server certificate and private key in PEM fomrat
  • CA list - list of trusted authorities in PEM format
  • web server to allow others to download your certificate

...

No Format
# ----------------- setting module-specific parameters ---------------
modparam("auth_identity","privatekey_path","/etc/certs/key.pem")
modparam("auth_identity","certificate_path","/etc/certs/cert.pem")
modparam("auth_identity","cainfo_path","/etc/certs/ca_list.pem")
modparam("auth_identity","certificate_url","http://sip.domainA.net/cert.pem")

Add the identity

No Format

if (!uri==myself) {
        # mark routing logic in request
          append_hf("P-hint: outbound\r\n");

          if (from_uri==myself) {
	  #insert authentication HERE
                route(IDENTITY);
	        route(FORWARD);
          }
          else {sl_reply("400", "Not Relay");}

}
No Format

route[IDENTITY]
{

if (method=="INVITE" || method=="BYE"   || method=="OPTION" || method=="ACK") {
     # Identity and Identity-info headers must not exist
		if (@identity) {
	                t_reply("403", "Invalid Identity header");
                        drop;
                }
                if (@identity_info) {
	                t_reply("403", "Invalid Identity-info header");
                        drop;
                }

                if (!auth_date_proc()) {
                        t_reply("403", "Invalid Date value");
                        drop;
                }

                if (!auth_add_identity()) {
                        t_reply("480", "Authentication error");
                        drop;
                }
	}
}

Verificator

No Format

if (uri==myself) {

       if (@identity) {
               route(VERIFY);
       }
....
No Format

route[VERIFY]
{
        # if we've already processed this message then we drop it
        if (!t_newtran()) {
                sl_reply("500", "Internal error newtran");
                drop;
        }
        if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") {
                # Identity and Identity-info are required for verification
                if (!@identity) {
                        t_reply("428", "Use Identity Header");
                        drop;
                }
                if (!@identity_info) {
                        t_reply("436", "Bad Identity-Info");
                        drop;
                }
                if (!vrfy_check_date()) {
                        t_reply("403", "Outdated Date header value");
                        drop;
                }
                if (!vrfy_get_certificate()) {
                        t_reply("436", "Bad Identity-Info");
                        drop;
                }
                if (!vrfy_check_certificate()) {
                        t_reply("437", "Unsupported Certificate");
                        drop;
                }
                if (!vrfy_check_msgvalidity()) {
                        t_reply("438", "Invalid Identity Header");
                        drop;
                }
                if (!vrfy_check_callid()) {
                        t_reply("403", "Message is replayed");
                        drop;
                }
        }
}

OS specific help

Validation, confirmation tests