[OpenSIPS-Devel] [opensips] TLS: Client authentication with client certificate CN (#716)

Thu Dec 3 23:23:32 CET 2015

TLSOPS module was extended to add support for checking correspondence between FROM/TO URIs and CN of the client certificate used for TLS connection = client authentication via client certificates.

For clients using TLS client certificates this patch can save bandwidth and messages up to 50% for REGISTER, MESSAGE and INVITE requests compared to traditional www_authorize authentication. This improvement is especially important for clients connected via mobile networks (higher packet loss / latency). 

Example configuration for TLS client authentication:
```
# authenticate the REGISTER requests 
if (proto==TLS && is_peer_verified()){
    xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth trusted cert '$tls_peer_subject_cn'\n");

    # Doing pretty serious stuff here, check if to matches CN.
    if (!tls_check_to())
    {
        xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth TO check failed\n");
        sl_send_reply("403","Forbidden auth ID");
        exit;
    }
}
else {
    # TLS validation could not be applied - use challenge response
    $var(auth_code) = www_authorize("", "subscriber");
    xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth: '$var(auth_code)'\n");

    if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
        xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)");
    }
    if ( $var(auth_code) < 0 ) {
        www_challenge("", "0");
        exit;
    }
    if (!db_check_to())
    {
        sl_send_reply("403","Forbidden auth ID");
        exit;
    }
}
```
You can view, comment on, or merge this pull request online at:

  https://github.com/OpenSIPS/opensips/pull/716

-- Commit Summary --

  * CN-AUTH: authentication via TLS client certificate CN functions added to tls_mgm module
  * CN-AUTH: documentation for tls_check_{from,to}

-- File Changes --

    M modules/tls_mgm/README (42)
    M modules/tls_mgm/doc/tls_mgm_admin.xml (54)
    M modules/tls_mgm/tls_mgm.c (113)
    M modules/tls_mgm/tls_select.c (49)
    M modules/tls_mgm/tls_select.h (3)

-- Patch Links --

https://github.com/OpenSIPS/opensips/pull/716.patch
https://github.com/OpenSIPS/opensips/pull/716.diff

---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/pull/716
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20151203/247039b7/attachment-0001.htm>