certificate for softphone

Home » Asterisk Users » certificate for softphone
Asterisk Users 3 Comments

Hi all,

As stated in the subject, slightly off-topic, as it is not directly a
Asterisk issue, but more SIP in general

Because security in general, and specifically identification becomes
more and more a subject for more concern, and Asterisk is capable of
doing sip/TLS, i was wondering what more could be done to improve
security.

Specially softphones, might it be possible to employ etokens or
smartcards for holding the certificates needed by TLS?

Done before?

Curious, Hans

3 thoughts on - certificate for softphone

  • 6 nov 2010 kl. 15.30 skrev Hans Witvliet:

    In the SIP protocol there is support for TLS client certificates, much like in HTTP.

    Asterisk doesn’t support it. You need to put a SIP proxy like Kamailio in front of Asterisk to get this kind of strong authentication.

    /O

  • Am i that mistaken?

    I got the impression** that sip-registration of a phone could be done in
    the same way as client-authentication on apache:
    On the server-side you got the certificate holding your public key which
    is signed by a trusted third party (the CA), while you hold your private
    key on a smartcard or token. If you start your browser you are prompted
    for your pin-code.

    I was just hoping that there would be a softphone that could work the
    same way, two-factor authentication.

    Hans

    **
    http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/

    http://www.sipring.ru/overview/func-asterisk/100-asterisk-tls-transport.html

  • 10 nov 2010 kl. 21.48 skrev Hans Witvliet:

    I haven’t seen any soft clients implementing this. Bria/Eyebeam may have it, but they’ve removed all TLS options from the GUI.

    As I said, the SIP protocol supports it. Kamailio supports it on the server side. Now we need clients that supports it.

    Now we’re talking about authentication. For identity assurance, there’s another set of standards called SIP Identity where you use TLS to sign your identity.
    The TLS is just between the phone and the first server. Identity is supposed to be something that follows the call to the callee.

    /O