Goal (short description)
Usage of SIP identity (RFC4474)
Applicability
User Agent A - TLS — > proxy domainA — Identity (TLS) — > proxy domainB — Identity (TLS,UDP,TCP) — > User Agent B
TLS and Identity doesn't work together yet, there is some intermodule conflict. It was reported to developer.
Prerequisites
- Linux machine
- SER version 2.1 - Current cvs version
- Server certificate and private key in PEM fomrat
- CA list - list of trusted authorities in PEM format
- web server to allow others to download your certificate
Ser head cvs branch
export CVSROOT=:pserver:anonymous@cvs.berlios.de:/cvsroot/ser cvs co sip_router
Compiling of source
Make everything
make group_include="standard" include_modules="tls auth_identity" all
Install it (and make before)
make group_include="standard" include_modules="tls auth_identity" install
You can adjust compiled modules by group_include, include_modules and exclude_modules parameters.
Print-modules parameter show set of modules that will compiled.
make group_include="standard" include_modules="tls auth_identity" print-modules
It cvs version, if any other non-critical module make problmes, just remove him with exclude_modules="module_name1 module_name2"
Configuration
Edit your ser.cfg
Load the module
# ------------------ module loading ---------------------------------- loadmodule "/usr/local/lib/ser/modules/auth_identity.so"
Set the parameters
# ----------------- setting module-specific parameters --------------- modparam("auth_identity","privatekey_path","/etc/certs/key.pem") modparam("auth_identity","certificate_path","/etc/certs/cert.pem") modparam("auth_identity","cainfo_path","/etc/certs/ca_list.pem") modparam("auth_identity","certificate_url","http://sip.domainA.net/cert.pem")
Add the identity
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); if (from_uri==myself) { #insert authentication HERE route(IDENTITY); route(FORWARD); } else {sl_reply("400", "Not Relay");} }
route[IDENTITY] { if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") { # Identity and Identity-info headers must not exist if (@identity) { t_reply("403", "Invalid Identity header"); drop; } if (@identity_info) { t_reply("403", "Invalid Identity-info header"); drop; } if (!auth_date_proc()) { t_reply("403", "Invalid Date value"); drop; } if (!auth_add_identity()) { t_reply("480", "Authentication error"); drop; } } }
Verificator
if (uri==myself) { if (@identity) { route(VERIFY); } ....
route[VERIFY] { # if we've already processed this message then we drop it if (!t_newtran()) { sl_reply("500", "Internal error newtran"); drop; } if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") { # Identity and Identity-info are required for verification if (!@identity) { t_reply("428", "Use Identity Header"); drop; } if (!@identity_info) { t_reply("436", "Bad Identity-Info"); drop; } if (!vrfy_check_date()) { t_reply("403", "Outdated Date header value"); drop; } if (!vrfy_get_certificate()) { t_reply("436", "Bad Identity-Info"); drop; } if (!vrfy_check_certificate()) { t_reply("437", "Unsupported Certificate"); drop; } if (!vrfy_check_msgvalidity()) { t_reply("438", "Invalid Identity Header"); drop; } if (!vrfy_check_callid()) { t_reply("403", "Message is replayed"); drop; } } }