Difference between revisions of "ReproMutualTLSAuthenticationJitsi"

From reSIProcate
Jump to navigation Jump to search
Line 73: Line 73:
 
* Here is a sample of the config settings:
 
* Here is a sample of the config settings:
  
<code>
+
LoggingType = syslog
LoggingType = syslog
+
LogLevel = INFO
LogLevel = INFO
+
LogFilename = repro.log
LogFilename = repro.log
+
LogFileMaxBytes = 5242880
LogFileMaxBytes = 5242880
+
IPAddress = 195.8.117.19
IPAddress = 195.8.117.19
+
UDPPort = 0
UDPPort = 0
+
TCPPort = 0
TCPPort = 0
+
TLSPort = 5062
TLSPort = 5062
+
DTLSPort = 0
DTLSPort = 0
+
TLSDomainName = pocock.com.au
TLSDomainName = pocock.com.au
+
TLSClientVerification = Mandatory
TLSClientVerification = Mandatory
+
TLSUseEmailAsSIP = true
TLSUseEmailAsSIP = true
+
Transport1Interface = 195.8.117.19:5062
Transport1Interface = 195.8.117.19:5062
+
Transport1Type = TLS
Transport1Type = TLS
+
Transport1TlsDomain = pocock.com.au
Transport1TlsDomain = pocock.com.au
+
Transport1TlsClientVerification = Mandatory
Transport1TlsClientVerification = Mandatory
+
Transport1RecordRouteUri = sip:pocock.com.au;transport=TLS
Transport1RecordRouteUri = sip:pocock.com.au;transport=TLS
+
DNSServers =
DNSServers =
+
EnableIPv6 = false
EnableIPv6 = false
+
DisableIPv4 = false
DisableIPv4 = false
+
HttpPort = 5780
HttpPort = 5780
+
DisableHttpAuth = false
DisableHttpAuth = false
+
HttpAdminPassword = admin
HttpAdminPassword = admin
+
CommandPort = 5781
CommandPort = 5781
+
RegSyncPort = 0
RegSyncPort = 0
+
RegSyncPeer =
RegSyncPeer =
+
Daemonize = true
Daemonize = true
+
PidFile = /var/run/repro/repro.pid
PidFile = /var/run/repro/repro.pid
+
CertificatePath = /etc/repro/ssl
CertificatePath = /etc/repro/ssl
+
CADirectory = /etc/ssl/certs
CADirectory = /etc/ssl/certs
+
DatabasePath = /var/lib/repro
DatabasePath = /var/lib/repro
+
MySQLServer = db-server-name
MySQLServer = db-server-name
+
MySQLUser = repro
MySQLUser = repro
+
MySQLPassword = some-password
MySQLPassword = some-password
+
MySQLDatabaseName = repro_db
MySQLDatabaseName = repro_db
+
MySQLPort = 3306
MySQLPort = 3306
+
MySQLCustomUserAuthQuery = SELECT passwordHashAlt FROM users WHERE user = '$user' AND domain = 'pocock.com.au'
MySQLCustomUserAuthQuery = SELECT passwordHashAlt FROM users WHERE user = '$user' AND domain = 'pocock.com.au'
+
EnableCertServer = false
EnableCertServer = false
+
ServerText =
ServerText =
+
CongestionManagement = true
CongestionManagement = true
+
CongestionManagementMetric = WAIT_TIME
CongestionManagementMetric = WAIT_TIME
+
CongestionManagementTolerance = 200
CongestionManagementTolerance = 200
+
StatisticsLogInterval = 3600
StatisticsLogInterval = 3600
+
ThreadedStack = true
ThreadedStack = true
+
NumAuthGrabberWorkerThreads = 2
NumAuthGrabberWorkerThreads = 2
+
NumAsyncProcessorWorkerThreads = 2
NumAsyncProcessorWorkerThreads = 2
+
Domains =
Domains =
+
RecordRouteUri = sip:pocock.com.au;transport=tls
RecordRouteUri = sip:pocock.com.au;transport=tls
+
ForceRecordRouting = true
ForceRecordRouting = true
+
AssumePath = false
AssumePath = false
+
DisableRegistrar = false
DisableRegistrar = false
+
EnumSuffixes = e164.arpa, sip5060.net, e164.org
EnumSuffixes = e164.arpa, sip5060.net, e164.org
+
TimerC = 180
TimerC = 180
+
TimerT1 = 0
TimerT1 = 0
+
DisableOutbound = false
DisableOutbound = false
+
OutboundVersion = 5626
OutboundVersion = 5626
+
EnableFlowTokens = false
EnableFlowTokens = false
+
ClientNatDetectionMode = DISABLED
ClientNatDetectionMode = DISABLED
+
FlowTimer = 0
FlowTimer = 0
+
EnableCertificateAuthenticator = True
EnableCertificateAuthenticator = True
+
DisableAuth = true
DisableAuth = true
+
HttpHostname =
HttpHostname =
+
DisableIdentity = false
DisableIdentity = false
+
EnablePAssertedIdentityProcessing = false
EnablePAssertedIdentityProcessing = false
+
DisableAuthInt = false
DisableAuthInt = false
+
RejectBadNonces = false
RejectBadNonces = false
+
AllowBadReg = false
AllowBadReg = false
+
DisableRequestFilterProcessor = false
DisableRequestFilterProcessor = false
+
RequestFilterDefaultNoMatchBehavior =
RequestFilterDefaultNoMatchBehavior =
+
RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error
RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error
+
RequestFilterMySQLServer =
RequestFilterMySQLServer =
+
RequestFilterMySQLUser = root
RequestFilterMySQLUser = root
+
RequestFilterMySQLPassword = root
RequestFilterMySQLPassword = root
+
RequestFilterMySQLDatabaseName =  
RequestFilterMySQLDatabaseName =  
+
RequestFilterMySQLPort = 3306
RequestFilterMySQLPort = 3306
+
Routes =
Routes =
+
ParallelForkStaticRoutes = false
ParallelForkStaticRoutes = false
+
ContinueProcessingAfterRoutesFound = false
ContinueProcessingAfterRoutesFound = false
+
MessageSiloEnabled = false
MessageSiloEnabled = false
+
MessageSiloDestFilterRegex =
MessageSiloDestFilterRegex =
+
MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml
MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml
+
MessageSiloExpirationTime = 2592000
MessageSiloExpirationTime = 2592000
+
MessageSiloAddDateHeader = true
MessageSiloAddDateHeader = true
+
MessageSiloMaxContentLength = 4096
MessageSiloMaxContentLength = 4096
+
MessageSiloSuccessStatusCode = 202
MessageSiloSuccessStatusCode = 202
+
MessageSiloFilteredMimeTypeStatusCode = 200
MessageSiloFilteredMimeTypeStatusCode = 200
+
MessageSiloFailureStatusCode = 480
MessageSiloFailureStatusCode = 480
+
RecursiveRedirect = false
RecursiveRedirect = false
+
GeoProximityTargetSorting = false
GeoProximityTargetSorting = false
+
GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat
GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat
+
GeoProximityIPv6CityDatabaseFile =
GeoProximityIPv6CityDatabaseFile =
+
GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$
GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$
+
GeoProximityDefaultDistance = 0
GeoProximityDefaultDistance = 0
+
LoadBalanceEqualDistantTargets = true
LoadBalanceEqualDistantTargets = true
+
QValue = true
QValue = true
+
QValueBehavior = EQUAL_Q_PARALLEL
QValueBehavior = EQUAL_Q_PARALLEL
+
QValueCancelBetweenForkGroups = true
QValueCancelBetweenForkGroups = true
+
QValueMsBeforeCancel = 30000
QValueMsBeforeCancel = 30000
+
QValueWaitForTerminateBetweenForkGroups = true
QValueWaitForTerminateBetweenForkGroups = true
+
QValueMsBetweenForkGroups = 3000
QValueMsBetweenForkGroups = 3000
 
</code>
 
  
 
* Things you MUST change in the sample config file above:
 
* Things you MUST change in the sample config file above:
* all instances of the domain '''pocock.com.au''' should be replaced with your domain
+
** all instances of the domain '''pocock.com.au''' should be replaced with your domain
* all instances of the IP address '''195.8.117.19''' should be replaced with your IP address
+
** all instances of the IP address '''195.8.117.19''' should be replaced with your IP address
* all the passwords ('''HttpAdminPassword''', '''MySQLPassword''')
+
** all the passwords ('''HttpAdminPassword''', '''MySQLPassword''')
* and the other MySQL settings ('''MySQLServer''' and those items below it
+
** and the other MySQL settings ('''MySQLServer''' and those items below it

Revision as of 09:43, 1 August 2012

Background

As of reSIProcate 1.8, the repro proxy supports Mutual (client) TLS authentication.

This means various things:

  • external users can be trusted based on the client certificate they present
  • local users can be trusted based on the client certificate they present
  • this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate

Using it in practice - with Jitsi

Jitsi is an excellent, free and open source softphone. It has support for mutual TLS authentication.

This guide explains how to use that feature with repro

Minimum requirements

  • Require repro v1.8.2 or greater
  • Require Jitsi build 3912 or later (tested with 4142, the nightly build from 31 July 2012)

Other comments about the environment where this was tested:

  • Jitsi on a Debian 6.0 (squeeze, amd64) system with Oracle JRE 1.6.24
  • repro on a Debian 7.0 (wheezy pre-release, i386)
  • Free 4096 bit RSA certificates from [[1]] used on both client and server
  • Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)

Setup the repro server

  • Install the latest Debian 7.0 wheezy build
  • Install the repro package:

# apt-get update
# apt-get install repro openssl

  • Create server certificates (note we are giving examples for pocock.com.au - insert your own domain instead)

# openssl genrsa -out /etc/repro/ssl/domain_key_pocock.com.au.pem 4096
# chmod 0640 /etc/repro/ssl/domain_key_pocock.com.au.pem
# chgrp repro /etc/repro/ssl/domain_key_pocock.com.au.pem
# openssl req -new -key /etc/repro/ssl/domain_key_pocock.com.au.pem -out /etc/repro/ssl/pocock.com.au.csr -subj '/CN=pocock.com.au'
# cat /etc/repro/ssl/pocock.com.au.csr

  • Go to the CACert.org certificate request web form. Cut and paste the contents of the CSR file (the output of the cat command)
  • The CA will now give you a certificate. Install it on the repro server:

# cat > /etc/repro/ssl/domain_cert_pocock.com.au.pem << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF

  • Now edit the repro config file, /etc/repro/repro.config

# vi /etc/repro/repro.config

  • Here is a sample of the config settings:
LoggingType = syslog
LogLevel = INFO
LogFilename = repro.log
LogFileMaxBytes = 5242880
IPAddress = 195.8.117.19
UDPPort = 0
TCPPort = 0
TLSPort = 5062
DTLSPort = 0
TLSDomainName = pocock.com.au
TLSClientVerification = Mandatory
TLSUseEmailAsSIP = true
Transport1Interface = 195.8.117.19:5062
Transport1Type = TLS
Transport1TlsDomain = pocock.com.au
Transport1TlsClientVerification = Mandatory
Transport1RecordRouteUri = sip:pocock.com.au;transport=TLS
DNSServers =
EnableIPv6 = false
DisableIPv4 = false
HttpPort = 5780
DisableHttpAuth = false
HttpAdminPassword = admin
CommandPort = 5781
RegSyncPort = 0
RegSyncPeer =
Daemonize = true
PidFile = /var/run/repro/repro.pid
CertificatePath = /etc/repro/ssl
CADirectory = /etc/ssl/certs
DatabasePath = /var/lib/repro
MySQLServer = db-server-name
MySQLUser = repro
MySQLPassword = some-password
MySQLDatabaseName = repro_db
MySQLPort = 3306
MySQLCustomUserAuthQuery = SELECT passwordHashAlt FROM users WHERE user = '$user' AND domain = 'pocock.com.au'
EnableCertServer = false
ServerText =
CongestionManagement = true
CongestionManagementMetric = WAIT_TIME
CongestionManagementTolerance = 200
StatisticsLogInterval = 3600
ThreadedStack = true
NumAuthGrabberWorkerThreads = 2
NumAsyncProcessorWorkerThreads = 2
Domains =
RecordRouteUri = sip:pocock.com.au;transport=tls
ForceRecordRouting = true
AssumePath = false
DisableRegistrar = false
EnumSuffixes = e164.arpa, sip5060.net, e164.org
TimerC = 180
TimerT1 = 0
DisableOutbound = false
OutboundVersion = 5626
EnableFlowTokens = false
ClientNatDetectionMode = DISABLED
FlowTimer = 0
EnableCertificateAuthenticator = True
DisableAuth = true
HttpHostname =
DisableIdentity = false
EnablePAssertedIdentityProcessing = false
DisableAuthInt = false
RejectBadNonces = false
AllowBadReg = false
DisableRequestFilterProcessor = false
RequestFilterDefaultNoMatchBehavior =
RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error
RequestFilterMySQLServer =
RequestFilterMySQLUser = root
RequestFilterMySQLPassword = root
RequestFilterMySQLDatabaseName = 
RequestFilterMySQLPort = 3306
Routes =
ParallelForkStaticRoutes = false
ContinueProcessingAfterRoutesFound = false
MessageSiloEnabled = false
MessageSiloDestFilterRegex =
MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml
MessageSiloExpirationTime = 2592000
MessageSiloAddDateHeader = true
MessageSiloMaxContentLength = 4096
MessageSiloSuccessStatusCode = 202
MessageSiloFilteredMimeTypeStatusCode = 200
MessageSiloFailureStatusCode = 480
RecursiveRedirect = false
GeoProximityTargetSorting = false
GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat
GeoProximityIPv6CityDatabaseFile =
GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$
GeoProximityDefaultDistance = 0
LoadBalanceEqualDistantTargets = true
QValue = true
QValueBehavior = EQUAL_Q_PARALLEL
QValueCancelBetweenForkGroups = true
QValueMsBeforeCancel = 30000
QValueWaitForTerminateBetweenForkGroups = true
QValueMsBetweenForkGroups = 3000
  • Things you MUST change in the sample config file above:
    • all instances of the domain pocock.com.au should be replaced with your domain
    • all instances of the IP address 195.8.117.19 should be replaced with your IP address
    • all the passwords (HttpAdminPassword, MySQLPassword)
    • and the other MySQL settings (MySQLServer and those items below it