[OpenSIPS-Devel] [opensips] Client authentication with TLS client cert CN (#709)
ph4r05
notifications at github.com
Fri Nov 27 00:54:53 CET 2015
TLSOPS module was extended to add support for checking correspondence between FROM/TO URIs and CN of the client certificate used for TLS connection = client authentication via client certificates.
For clients using TLS client certificates this patch can save bandwidth and messages up to 50% for REGISTER, MESSAGE and INVITE requests compared to traditional www_authorize authentication. This improvement is especially important for clients connected via mobile networks.
Example configuration for TLS client authentication:
```
# authenticate the REGISTER requests
if (proto==TLS && is_peer_verified()){
xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth trusted cert '$tls_peer_subject_cn'\n");
# Doing pretty serious stuff here, check if to matches CN.
if (!tls_check_to())
{
xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth TO check failed\n");
sl_send_reply("403","Forbidden auth ID");
exit;
}
}
else {
# TLS validation could not be applied - use challenge response
$var(auth_code) = www_authorize("", "subscriber");
xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth: '$var(auth_code)'\n");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
if (!db_check_to())
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
}
```
You can view, comment on, or merge this pull request online at:
https://github.com/OpenSIPS/opensips/pull/709
-- Commit Summary --
* CRL: tls_crl_directory configuration option ported from OpenSips 2.x branch
* CRL-CN: CRL refresh via MI command added
* CN-AUTH: authentication via TLS client certificate functions added to tlsops module
-- File Changes --
M cfg.lex (3)
M cfg.y (32)
M config.h (1)
M modules/tlsops/tls_select.c (51)
M modules/tlsops/tls_select.h (5)
M modules/tlsops/tlsops.c (160)
M tls/tls_config.c (2)
M tls/tls_config.h (2)
M tls/tls_domain.c (1)
M tls/tls_domain.h (2)
M tls/tls_init.c (285)
M tls/tls_init.h (10)
-- Patch Links --
https://github.com/OpenSIPS/opensips/pull/709.patch
https://github.com/OpenSIPS/opensips/pull/709.diff
---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/pull/709
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20151126/133787fc/attachment.htm>
More information about the Devel
mailing list