[OpenSIPS-Users] Client certificate validation
Adrian Georgescu
ag at ag-projects.com
Wed Sep 23 16:16:28 CEST 2009
Fabio
To the best of my knowledge, the SIP clients do not implement the
features you mention. Maybe you can make it work somehow and let us
know if and how you succeeded.
--
Adrian
On Sep 23, 2009, at 4:13 PM, Fabio Spelta wrote:
> 2009/9/23 Adrian Georgescu <ag at ag-projects.com>:
>> I was last week at SIPIT and nobody could realize this scenario.
>> CounterPath included.
>
> Sounds interesting.
>
>> The idea is that having the server connect back to a client while
>> technically is a valid call flow scenario, for all practical purposes
>> involved in a real life deployment, servers should not attempt to
>> connect back to clients but the opposite
>
> As far as I understand, here we are talking about using a x.509
> certificate for authentication purposes only, not for accepting
> incoming connections. There is a specific key usage file in the X.509
> specifications and the certificate I'm presenting (or better: that I'm
> trying to present) to the server does has it; here's an excerpt from
> it:
>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Key Usage: critical
> Digital Signature
> X509v3 Extended Key Usage: critical
> TLS Web Client Authentication, E-mail Protection
>
>
> (not that that option is mandatory, by the way).
>
> We use those *very same* certificates for wireless *authentication*.
> The wireless router don't open any connection back to the client, is a
> matter of authentication only. Read it this way: in the end it works
> PRECISELY as a password would, but is by far more secure.
>
> Regards,
> --
> Fabio
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list