Difference between revisions of "ReproMutualTLSAuthenticationJitsi"

From reSIProcate
Jump to navigation Jump to search
Line 1: Line 1:
!! Background
+
== Background ==
  
 
As of reSIProcate 1.8, the ''repro'' proxy supports Mutual (client) TLS authentication.
 
As of reSIProcate 1.8, the ''repro'' proxy supports Mutual (client) TLS authentication.
Line 9: Line 9:
 
* this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate
 
* this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate
  
!! Using it in practice - with Jitsi
+
== Using it in practice - with Jitsi ==
  
 
Jitsi is an excellent, free and open source softphone.  It has support for mutual TLS authentication.
 
Jitsi is an excellent, free and open source softphone.  It has support for mutual TLS authentication.
Line 15: Line 15:
 
This guide explains how to use that feature with ''repro''
 
This guide explains how to use that feature with ''repro''
  
!! Minimum requirements
+
== Minimum requirements ==
  
 
* Require repro v1.8.2 or greater
 
* Require repro v1.8.2 or greater
Line 27: Line 27:
 
* Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)
 
* Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)
  
!! Setup the repro server
+
== Setup the repro server ==
  
 
* Install the latest Debian 7.0 wheezy build
 
* Install the latest Debian 7.0 wheezy build
Line 36: Line 36:
 
  # apt-get install repro openssl
 
  # apt-get install repro openssl
 
</code>
 
</code>
 +
 +
* Create server certificates (note we are giving examples for '''pocock.com.au''' - insert your own domain instead)
 +
 +
<code>
 +
# openssl genrsa -out /etc/repro/ssl/domain_key_pocock.com.au.pem 4096
 +
# chmod 0640 /etc/repro/ssl/domain_key_pocock.com.au.pem
 +
# chgrp repro /etc/repro/ssl/domain_key_pocock.com.au.pem
 +
# openssl req -new -key /etc/repro/ssl/domain_key_pocock.com.au.pem -out /etc/repro/ssl/pocock.com.au.csr -subj '/CN=pocock.com.au'
 +
# cat /etc/repro/ssl/pocock.com.au.csr
 +
</code>
 +
 +
* Go to the CACert.org certificate request web form.  Cut and paste the contents of the CSR file (the output of the ''cat'' command)
 +
* The CA will now give you a certificate.  Install it on the repro server:
 +
 +
<code>
 +
# cat > /etc/repro/ssl/domain_cert_pocock.com.au.pem << EOF
 +
-----BEGIN CERTIFICATE-----
 +
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
 +
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
 +
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
 +
.
 +
.
 +
.
 +
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
 +
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
 +
-----END CERTIFICATE-----
 +
EOF
 +
</code>
 +
 +
* Now edit the repro config file, /etc/repro/repro.config
 +
 +
<code>
 +
# vi /etc/repro/repro.config
 +
</code>
 +
 +
* Here is a sample of the config settings:
 +
 +
<code>
 +
LoggingType = syslog
 +
LogLevel = INFO
 +
LogFilename = repro.log
 +
LogFileMaxBytes = 5242880
 +
IPAddress = 195.8.117.19
 +
UDPPort = 0
 +
TCPPort = 0
 +
TLSPort = 5062
 +
DTLSPort = 0
 +
TLSDomainName = pocock.com.au
 +
TLSClientVerification = Mandatory
 +
TLSUseEmailAsSIP = true
 +
Transport1Interface = 195.8.117.19:5062
 +
Transport1Type = TLS
 +
Transport1TlsDomain = pocock.com.au
 +
Transport1TlsClientVerification = Mandatory
 +
Transport1RecordRouteUri = sip:pocock.com.au;transport=TLS
 +
DNSServers =
 +
EnableIPv6 = false
 +
DisableIPv4 = false
 +
HttpPort = 5780
 +
DisableHttpAuth = false
 +
HttpAdminPassword = admin
 +
CommandPort = 5781
 +
RegSyncPort = 0
 +
RegSyncPeer =
 +
Daemonize = true
 +
PidFile = /var/run/repro/repro.pid
 +
CertificatePath = /etc/repro/ssl
 +
CADirectory = /etc/ssl/certs
 +
DatabasePath = /var/lib/repro
 +
MySQLServer = db-server-name
 +
MySQLUser = repro
 +
MySQLPassword = some-password
 +
MySQLDatabaseName = repro_db
 +
MySQLPort = 3306
 +
MySQLCustomUserAuthQuery = SELECT passwordHashAlt FROM users WHERE user = '$user' AND domain = 'pocock.com.au'
 +
EnableCertServer = false
 +
ServerText =
 +
CongestionManagement = true
 +
CongestionManagementMetric = WAIT_TIME
 +
CongestionManagementTolerance = 200
 +
StatisticsLogInterval = 3600
 +
ThreadedStack = true
 +
NumAuthGrabberWorkerThreads = 2
 +
NumAsyncProcessorWorkerThreads = 2
 +
Domains =
 +
RecordRouteUri = sip:pocock.com.au;transport=tls
 +
ForceRecordRouting = true
 +
AssumePath = false
 +
DisableRegistrar = false
 +
EnumSuffixes = e164.arpa, sip5060.net, e164.org
 +
TimerC = 180
 +
TimerT1 = 0
 +
DisableOutbound = false
 +
OutboundVersion = 5626
 +
EnableFlowTokens = false
 +
ClientNatDetectionMode = DISABLED
 +
FlowTimer = 0
 +
EnableCertificateAuthenticator = True
 +
DisableAuth = true
 +
HttpHostname =
 +
DisableIdentity = false
 +
EnablePAssertedIdentityProcessing = false
 +
DisableAuthInt = false
 +
RejectBadNonces = false
 +
AllowBadReg = false
 +
DisableRequestFilterProcessor = false
 +
RequestFilterDefaultNoMatchBehavior =
 +
RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error
 +
RequestFilterMySQLServer =
 +
RequestFilterMySQLUser = root
 +
RequestFilterMySQLPassword = root
 +
RequestFilterMySQLDatabaseName =
 +
RequestFilterMySQLPort = 3306
 +
Routes =
 +
ParallelForkStaticRoutes = false
 +
ContinueProcessingAfterRoutesFound = false
 +
MessageSiloEnabled = false
 +
MessageSiloDestFilterRegex =
 +
MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml
 +
MessageSiloExpirationTime = 2592000
 +
MessageSiloAddDateHeader = true
 +
MessageSiloMaxContentLength = 4096
 +
MessageSiloSuccessStatusCode = 202
 +
MessageSiloFilteredMimeTypeStatusCode = 200
 +
MessageSiloFailureStatusCode = 480
 +
RecursiveRedirect = false
 +
GeoProximityTargetSorting = false
 +
GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat
 +
GeoProximityIPv6CityDatabaseFile =
 +
GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$
 +
GeoProximityDefaultDistance = 0
 +
LoadBalanceEqualDistantTargets = true
 +
QValue = true
 +
QValueBehavior = EQUAL_Q_PARALLEL
 +
QValueCancelBetweenForkGroups = true
 +
QValueMsBeforeCancel = 30000
 +
QValueWaitForTerminateBetweenForkGroups = true
 +
QValueMsBetweenForkGroups = 3000
 +
</code>
 +
 +
* Things you MUST change in the sample config file above:
 +
* all instances of the domain '''pocock.com.au''' should be replaced with your domain
 +
* all instances of the IP address '''195.8.117.19''' should be replaced with your IP address
 +
* all the passwords ('''HttpAdminPassword''', '''MySQLPassword''')
 +
* and the other MySQL settings ('''MySQLServer''' and those items below it

Revision as of 10:41, 1 August 2012

Background

As of reSIProcate 1.8, the repro proxy supports Mutual (client) TLS authentication.

This means various things:

  • external users can be trusted based on the client certificate they present
  • local users can be trusted based on the client certificate they present
  • this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate

Using it in practice - with Jitsi

Jitsi is an excellent, free and open source softphone. It has support for mutual TLS authentication.

This guide explains how to use that feature with repro

Minimum requirements

  • Require repro v1.8.2 or greater
  • Require Jitsi build 3912 or later (tested with 4142, the nightly build from 31 July 2012)

Other comments about the environment where this was tested:

  • Jitsi on a Debian 6.0 (squeeze, amd64) system with Oracle JRE 1.6.24
  • repro on a Debian 7.0 (wheezy pre-release, i386)
  • Free 4096 bit RSA certificates from [[1]] used on both client and server
  • Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)

Setup the repro server

  • Install the latest Debian 7.0 wheezy build
  • Install the repro package:

# apt-get update
# apt-get install repro openssl

  • Create server certificates (note we are giving examples for pocock.com.au - insert your own domain instead)

# openssl genrsa -out /etc/repro/ssl/domain_key_pocock.com.au.pem 4096
# chmod 0640 /etc/repro/ssl/domain_key_pocock.com.au.pem
# chgrp repro /etc/repro/ssl/domain_key_pocock.com.au.pem
# openssl req -new -key /etc/repro/ssl/domain_key_pocock.com.au.pem -out /etc/repro/ssl/pocock.com.au.csr -subj '/CN=pocock.com.au'
# cat /etc/repro/ssl/pocock.com.au.csr

  • Go to the CACert.org certificate request web form. Cut and paste the contents of the CSR file (the output of the cat command)
  • The CA will now give you a certificate. Install it on the repro server:

# cat > /etc/repro/ssl/domain_cert_pocock.com.au.pem << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF

  • Now edit the repro config file, /etc/repro/repro.config

# vi /etc/repro/repro.config

  • Here is a sample of the config settings:

LoggingType = syslog LogLevel = INFO LogFilename = repro.log LogFileMaxBytes = 5242880 IPAddress = 195.8.117.19 UDPPort = 0 TCPPort = 0 TLSPort = 5062 DTLSPort = 0 TLSDomainName = pocock.com.au TLSClientVerification = Mandatory TLSUseEmailAsSIP = true Transport1Interface = 195.8.117.19:5062 Transport1Type = TLS Transport1TlsDomain = pocock.com.au Transport1TlsClientVerification = Mandatory Transport1RecordRouteUri = sip:pocock.com.au;transport=TLS DNSServers = EnableIPv6 = false DisableIPv4 = false HttpPort = 5780 DisableHttpAuth = false HttpAdminPassword = admin CommandPort = 5781 RegSyncPort = 0 RegSyncPeer = Daemonize = true PidFile = /var/run/repro/repro.pid CertificatePath = /etc/repro/ssl CADirectory = /etc/ssl/certs DatabasePath = /var/lib/repro MySQLServer = db-server-name MySQLUser = repro MySQLPassword = some-password MySQLDatabaseName = repro_db MySQLPort = 3306 MySQLCustomUserAuthQuery = SELECT passwordHashAlt FROM users WHERE user = '$user' AND domain = 'pocock.com.au' EnableCertServer = false ServerText = CongestionManagement = true CongestionManagementMetric = WAIT_TIME CongestionManagementTolerance = 200 StatisticsLogInterval = 3600 ThreadedStack = true NumAuthGrabberWorkerThreads = 2 NumAsyncProcessorWorkerThreads = 2 Domains = RecordRouteUri = sip:pocock.com.au;transport=tls ForceRecordRouting = true AssumePath = false DisableRegistrar = false EnumSuffixes = e164.arpa, sip5060.net, e164.org TimerC = 180 TimerT1 = 0 DisableOutbound = false OutboundVersion = 5626 EnableFlowTokens = false ClientNatDetectionMode = DISABLED FlowTimer = 0 EnableCertificateAuthenticator = True DisableAuth = true HttpHostname = DisableIdentity = false EnablePAssertedIdentityProcessing = false DisableAuthInt = false RejectBadNonces = false AllowBadReg = false DisableRequestFilterProcessor = false RequestFilterDefaultNoMatchBehavior = RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error RequestFilterMySQLServer = RequestFilterMySQLUser = root RequestFilterMySQLPassword = root RequestFilterMySQLDatabaseName = RequestFilterMySQLPort = 3306 Routes = ParallelForkStaticRoutes = false ContinueProcessingAfterRoutesFound = false MessageSiloEnabled = false MessageSiloDestFilterRegex = MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml MessageSiloExpirationTime = 2592000 MessageSiloAddDateHeader = true MessageSiloMaxContentLength = 4096 MessageSiloSuccessStatusCode = 202 MessageSiloFilteredMimeTypeStatusCode = 200 MessageSiloFailureStatusCode = 480 RecursiveRedirect = false GeoProximityTargetSorting = false GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat GeoProximityIPv6CityDatabaseFile = GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$ GeoProximityDefaultDistance = 0 LoadBalanceEqualDistantTargets = true QValue = true QValueBehavior = EQUAL_Q_PARALLEL QValueCancelBetweenForkGroups = true QValueMsBeforeCancel = 30000 QValueWaitForTerminateBetweenForkGroups = true QValueMsBetweenForkGroups = 3000

  • Things you MUST change in the sample config file above:
* all instances of the domain pocock.com.au should be replaced with your domain
* all instances of the IP address 195.8.117.19 should be replaced with your IP address
* all the passwords (HttpAdminPassword, MySQLPassword)
* and the other MySQL settings (MySQLServer and those items below it