Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Applicability

User Agent A - TLS — > proxy domainA — Identity (TLS) — > proxy domainB — Identity (TLS,UDP,TCP) — > User Agent B

TLS and Identity doesn't work together yet, ther there is some intermodule conflict. It was reported to developer.

Prerequisites

  • Linux machine
  • SER version 2.1  - Current cvs version
  • Server certificate and private key in PEM fomrat
  • CA list - list of trusted authorities in PEM format
  • web server to allow others to download your certificate

...

No Format
if (!uri==myself) {
        # mark routing logic in request
          append_hf("P-hint: outbound\r\n");

          if (from_uri==myself) {
	  #insert authentication HERE
                route(IDENTITY);
	        route(FORWARD);
          }
          else {sl_reply("400", "Not Relay");}
 
}
No Format
route[IDENTITY]
{

if (method=="INVITE" || method=="BYE"   || method=="OPTION" || method=="ACK") {
     # Identity and Identity-info headers must not exist
		if (@identity) {
	                t_reply("403", "Invalid Identity header");
                        drop;
                }
                if (@identity_info) {
	                t_reply("403", "Invalid Identity-info header");
                        drop;
                }

                if (!auth_date_proc()) {
                        t_reply("403", "Invalid Date value");
                        drop;
                }

                if (!auth_add_identity()) {
                        t_reply("480", "Authentication error");
                        drop;
                }
	}
}

Verificator

No Format

if (uri==myself) {

       if (@identity) {
               route(VERIFY);
       }
....
No Format

route[VERIFY]
{
              # if we've already processed this message then we drop it
        if (!t_newtran()) {
   
             sl_reply("500", "Internal  }
	}
}error newtran");
                drop;
        }
                                                                                  
                                                                                                                           

Verificator

No Format

if (uri==myself) {

       if (@identity) {
               route(VERIFY);
       }
....
No Format

route[VERIFY]
{
        # if we've already processed this message then we drop it
        if (!t_newtran()) {                                                                                                
                sl_reply("500", "Internal error newtran");                                                                 
                drop;                                                                                       
        }                                                                                                                                                                                                                                            
        if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") {                                                                    
                # Identity and Identity-info are required for verification   
                if (!@identity) {                                                                                 
                        t_reply("428", "Use Identity Header"); 
                        drop;                                                                                           
                }                                                                                                   
                if (!@identity_info) {                                                                                    
                        t_reply("436", "Bad Identity-Info");                                                               
                        drop;                                                                                             
                }                                                                                                                                                                                                                              
                if (!vrfy_check_date()) {
                        t_reply("403", "Outdated Date header value"); 
                        drop;                                                                                    
                }                                                                                                                                                                                                                              
                if (!vrfy_get_certificate()) {
                        t_reply("436", "Bad Identity-Info");                                                               
                        drop;                                                                                             
                }                                                                                                                                                                                                                              
                if (!vrfy_check_certificate()) {
                        t_reply("437", "Unsupported Certificate");
                        drop;                                                                                        
                }                                                                                                                                                                                                                              
                if (!vrfy_check_msgvalidity()) {                                                                          
        if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") {
                t_reply("438", "Invalid Identity Header"); 
 # Identity and Identity-info are required for verification
                drop;  if (!@identity) {
                        t_reply("428", "Use Identity Header");
                        drop;
                }
                if (!@identity_info) {
                }        t_reply("436", "Bad Identity-Info");
                        drop;
                }
                if (!vrfy_check_date()) {
                        t_reply("403", "Outdated Date header value");
                        drop;
                }
                if   (!vrfy_get_certificate()) {
                        t_reply("436", "Bad Identity-Info");
                        drop;
                 }
                if (!vrfy_check_callidcertificate()) {
                        t_reply("403437", "MessageUnsupported is replayedCertificate");
                        drop;
                }
                                     if (!vrfy_check_msgvalidity()) {
                        t_reply("438", "Invalid Identity Header");
            
            drop;
    }            }
                if (!vrfy_check_callid()) {
                        t_reply("403", "Message is replayed");
                        drop;
                  }
        } 
}

OS specific help

Validation, confirmation tests