<p>TLSOPS module was extended to add support for checking correspondence between FROM/TO URIs and CN of the client certificate used for TLS connection = client authentication via client certificates.</p>
<p>For clients using TLS client certificates this patch can save bandwidth and messages up to 50% for REGISTER, MESSAGE and INVITE requests compared to traditional www_authorize authentication. This improvement is especially important for clients connected via mobile networks. </p>
<p>Example configuration for TLS client authentication:</p>
<pre><code># authenticate the REGISTER requests
if (proto==TLS && is_peer_verified()){
xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth trusted cert '$tls_peer_subject_cn'\n");
# Doing pretty serious stuff here, check if to matches CN.
if (!tls_check_to())
{
xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth TO check failed\n");
sl_send_reply("403","Forbidden auth ID");
exit;
}
}
else {
# TLS validation could not be applied - use challenge response
$var(auth_code) = www_authorize("", "subscriber");
xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' auth: '$var(auth_code)'\n");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
if (!db_check_to())
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
}
</code></pre>
<hr>
<h4>You can view, comment on, or merge this pull request online at:</h4>
<p> <a href='https://github.com/OpenSIPS/opensips/pull/709'>https://github.com/OpenSIPS/opensips/pull/709</a></p>
<h4>Commit Summary</h4>
<ul>
<li>CRL: tls_crl_directory configuration option ported from OpenSips 2.x branch</li>
<li>CRL-CN: CRL refresh via MI command added</li>
<li>CN-AUTH: authentication via TLS client certificate functions added to tlsops module</li>
</ul>
<h4>File Changes</h4>
<ul>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-0">cfg.lex</a>
(3)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-1">cfg.y</a>
(32)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-2">config.h</a>
(1)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-3">modules/tlsops/tls_select.c</a>
(51)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-4">modules/tlsops/tls_select.h</a>
(5)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-5">modules/tlsops/tlsops.c</a>
(160)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-6">tls/tls_config.c</a>
(2)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-7">tls/tls_config.h</a>
(2)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-8">tls/tls_domain.c</a>
(1)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-9">tls/tls_domain.h</a>
(2)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-10">tls/tls_init.c</a>
(285)
</li>
<li>
<strong>M</strong>
<a href="https://github.com/OpenSIPS/opensips/pull/709/files#diff-11">tls/tls_init.h</a>
(10)
</li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a href='https://github.com/OpenSIPS/opensips/pull/709.patch'>https://github.com/OpenSIPS/opensips/pull/709.patch</a></li>
<li><a href='https://github.com/OpenSIPS/opensips/pull/709.diff'>https://github.com/OpenSIPS/opensips/pull/709.diff</a></li>
</ul>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/pull/709">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOciVOj9GdG2xeT5Z2aB4N8hHlTgcQZks5pJ5NNgaJpZM4GqN2C.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="https://github.com/OpenSIPS/opensips/pull/709"></link>
<meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>