Difference between revisions of "ReproMutualTLSAuthenticationJitsi"

From reSIProcate
Jump to navigation Jump to search
(Created page with " As of reSIProcate 1.8, the repro proxy supports Mutual (client) TLS authentication. This means various things: * external users can be trusted based on the client certificate ...")
 
Line 1: Line 1:
 +
!! Background
  
As of reSIProcate 1.8, the repro proxy supports Mutual (client) TLS authentication.
+
As of reSIProcate 1.8, the ''repro'' proxy supports Mutual (client) TLS authentication.
  
 
This means various things:
 
This means various things:
Line 7: Line 8:
 
* local users can be trusted based on the client certificate they present
 
* local users can be trusted based on the client certificate they present
 
* this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate
 
* this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate
 +
 +
!! Using it in practice - with Jitsi
 +
 +
Jitsi is an excellent, free and open source softphone.  It has support for mutual TLS authentication.
 +
 +
This guide explains how to use that feature with ''repro''
 +
 +
!! Minimum requirements
 +
 +
* Require repro v1.8.2 or greater
 +
* Require Jitsi build 3912 or later (tested with 4142, the nightly build from 31 July 2012)
 +
 +
Other comments about the environment where this was tested:
 +
 +
* Jitsi on a Debian 6.0 (squeeze, amd64) system with Oracle JRE 1.6.24
 +
* ''repro'' on a Debian 7.0 (wheezy pre-release, i386)
 +
* Free 4096 bit RSA certificates from [[http://www.CACert.org]] used on both client and server
 +
* Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)
 +
 +
!! Setup the repro server
 +
 +
* Install the latest Debian 7.0 wheezy build
 +
* Install the repro package:
 +
 +
<code>
 +
# apt-get update
 +
# apt-get install repro openssl
 +
</code>

Revision as of 09:26, 1 August 2012

!! Background

As of reSIProcate 1.8, the repro proxy supports Mutual (client) TLS authentication.

This means various things:

  • external users can be trusted based on the client certificate they present
  • local users can be trusted based on the client certificate they present
  • this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate

!! Using it in practice - with Jitsi

Jitsi is an excellent, free and open source softphone. It has support for mutual TLS authentication.

This guide explains how to use that feature with repro

!! Minimum requirements

  • Require repro v1.8.2 or greater
  • Require Jitsi build 3912 or later (tested with 4142, the nightly build from 31 July 2012)

Other comments about the environment where this was tested:

  • Jitsi on a Debian 6.0 (squeeze, amd64) system with Oracle JRE 1.6.24
  • repro on a Debian 7.0 (wheezy pre-release, i386)
  • Free 4096 bit RSA certificates from [[1]] used on both client and server
  • Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)

!! Setup the repro server

  • Install the latest Debian 7.0 wheezy build
  • Install the repro package:

  1. apt-get update
  2. apt-get install repro openssl