[OpenSIPS-Users] OpenSIPs with mutual TLS and client CA lists

Phil Whitener Phil.Whitener at genesys.com
Fri Jun 28 12:40:21 EDT 2019


I have looked into using OpenSIPS with optional mutual TLS.  In short, using verify_cert=1 & require_cert=0.  In this case, the OpenSIPs acting as a server sends the TLS "Certificate Request" during the handshake and based on the response the OpenSIPs server decides whether to continue (as either server-only TLS or mutual TLS) or terminate the connection.  I have experienced more failures than expected as some remote endpoints are attempting to satisfy the certificate request by sending any potential certificate that meets the requested criteria.

During the "Certificate Request" there is an optional parameter allowing the trusted certificate authority distinguished name to be provided in the request.  This is defined in OpenSSL's SSL_CTX_set_client_CA_list.  Without this directive defined the remote client may choose to send a client certificate that meets the only defined parameter (Certificate types); however, in many cases OpenSIPs may reject the client selected certificate.  It does not appear that OpenSIPs controls this optional parameter.

I may have missed this definition in OpenSIPs.  This may be a potential feature request.  If it has been omitted, I feel that when OpenSIPs is acting as a TLS server, the existing parameter CA_LIST could be defined in the server domain to provide a set of trusted certificate authorities to pass along as the Certificate Request distinguished name.  In this case the remote client peer that is not able to satisfy the scoped Certificate Request can then choose to proceed without mutual authentication and continue the handshake without offering a client certificate.

RFC5246 7.4.6 Client Certificate https://tools.ietf.org/html/rfc5246#section-7.4.6

TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 14
    Handshake Protocol: Certificate Request
        Handshake Type: Certificate Request (13)
        Length: 6
        Certificate types count: 3
        Certificate types (3 types)
            Certificate type: RSA Sign (1)
            Certificate type: DSS Sign (2)
            Certificate type: ECDSA Sign (64)
        Distinguished Names Length: 0
    Handshake Protocol: Server Hello Done
        Handshake Type: Server Hello Done (14)
        Length: 0

OpenSSL SSL_CTX_set_client_CA_list

https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_client_CA_list.html


Thank you for your review,

Phil Whitener
phil.whitener at genesys.com<mailto:phil.whitener at genesys.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190628/9f680542/attachment.html>


More information about the Users mailing list