[OpenSIPS-Users] Client certificate validation

Fabio Spelta spelta at gmail.com
Wed Sep 23 16:13:51 CEST 2009


2009/9/23 Adrian Georgescu <ag at ag-projects.com>:
> I was last week at SIPIT and nobody could realize this scenario.
> CounterPath included.

Sounds interesting.

> The idea is that having the server connect back to a client while
> technically is a valid call flow scenario, for all practical purposes
> involved in a real life deployment, servers should not attempt to
> connect back to clients but the opposite

As far as I understand, here we are talking about using a x.509
certificate for authentication purposes only, not for accepting
incoming connections. There is a specific key usage file in the X.509
specifications and the certificate I'm presenting (or better: that I'm
trying to present) to the server does has it; here's an excerpt from
it:

X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication, E-mail Protection


(not that that option is mandatory, by the way).

We use those *very same* certificates for wireless *authentication*.
The wireless router don't open any connection back to the client, is a
matter of authentication only. Read it this way: in the end it works
PRECISELY as a password would, but is by far more secure.

Regards,
-- 
Fabio



More information about the Users mailing list