[OpenSIPS-Users] Client certificate validation

Adrian Georgescu ag at ag-projects.com
Wed Sep 23 15:58:51 CEST 2009


I was last week at SIPIT and nobody could realize this scenario.  
CounterPath included.

The idea is that having the server connect back to a client while  
technically is a valid call flow scenario, for all practical purposes  
involved in a real life deployment, servers should not attempt to  
connect back to clients but the opposite, the clients should connect  
to the server and keep the TLS connection alive by using outbound  
techniques. The real issue is NAT, a server cannot initiate a TLS  
connection back to a client if is behind NAT.

--
Adrian





On Sep 23, 2009, at 3:45 PM, Fabio Spelta wrote:

>
> So you already know where the problem is.
>
> As I stated above, since all the three clients I tried get that  
> message, I suspected that it could perhaps be a server issue; but  
> that was only a suspect.
> The first suspect was about the certificate itself, which misses a  
> URI:sip subjectAltName.
> Does anybody knows if this is mandatory?
>
>
> By the way, where do you configure a client side X.509 certificate  
> in Counterpath's Eyebeam client?
>
> It gets the certificate from the microsoft windows keystore; in  
> fact, the proper way to have it use client certificates is to  
> install them in the operating system keystore.
>
> Just to ask, does anybody uses successfully a client certificate for  
> authentication?
> If so, I would love, if possible, to see a sample of a working  
> client certificate, so to triple check it and see how it must be  
> formatted.
>
> Thanks so much
> -- 
> Fabio
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list