[OpenSIPS-Users] Client certificate validation
Fabio Spelta
spelta at gmail.com
Wed Sep 23 16:13:51 CEST 2009
2009/9/23 Adrian Georgescu <ag at ag-projects.com>:
> I was last week at SIPIT and nobody could realize this scenario.
> CounterPath included.
Sounds interesting.
> The idea is that having the server connect back to a client while
> technically is a valid call flow scenario, for all practical purposes
> involved in a real life deployment, servers should not attempt to
> connect back to clients but the opposite
As far as I understand, here we are talking about using a x.509
certificate for authentication purposes only, not for accepting
incoming connections. There is a specific key usage file in the X.509
specifications and the certificate I'm presenting (or better: that I'm
trying to present) to the server does has it; here's an excerpt from
it:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
TLS Web Client Authentication, E-mail Protection
(not that that option is mandatory, by the way).
We use those *very same* certificates for wireless *authentication*.
The wireless router don't open any connection back to the client, is a
matter of authentication only. Read it this way: in the end it works
PRECISELY as a password would, but is by far more secure.
Regards,
--
Fabio
More information about the Users
mailing list