ReproMutualTLSAuthenticationJitsi

From reSIProcate
Revision as of 10:41, 1 August 2012 by Dpocock (talk | contribs)
Jump to navigation Jump to search

Background

As of reSIProcate 1.8, the repro proxy supports Mutual (client) TLS authentication.

This means various things:

  • external users can be trusted based on the client certificate they present
  • local users can be trusted based on the client certificate they present
  • this works with or without a challenge password: you can still demand the local user to pass DIGEST authentication, or you can turn off DIGEST authentication and just rely on the client certificate

Using it in practice - with Jitsi

Jitsi is an excellent, free and open source softphone. It has support for mutual TLS authentication.

This guide explains how to use that feature with repro

Minimum requirements

  • Require repro v1.8.2 or greater
  • Require Jitsi build 3912 or later (tested with 4142, the nightly build from 31 July 2012)

Other comments about the environment where this was tested:

  • Jitsi on a Debian 6.0 (squeeze, amd64) system with Oracle JRE 1.6.24
  • repro on a Debian 7.0 (wheezy pre-release, i386)
  • Free 4096 bit RSA certificates from [[1]] used on both client and server
  • Normal CN certificates were tested (without subjectAltName or other extensions - that is for another day)

Setup the repro server

  • Install the latest Debian 7.0 wheezy build
  • Install the repro package:

# apt-get update
# apt-get install repro openssl

  • Create server certificates (note we are giving examples for pocock.com.au - insert your own domain instead)

# openssl genrsa -out /etc/repro/ssl/domain_key_pocock.com.au.pem 4096
# chmod 0640 /etc/repro/ssl/domain_key_pocock.com.au.pem
# chgrp repro /etc/repro/ssl/domain_key_pocock.com.au.pem
# openssl req -new -key /etc/repro/ssl/domain_key_pocock.com.au.pem -out /etc/repro/ssl/pocock.com.au.csr -subj '/CN=pocock.com.au'
# cat /etc/repro/ssl/pocock.com.au.csr

  • Go to the CACert.org certificate request web form. Cut and paste the contents of the CSR file (the output of the cat command)
  • The CA will now give you a certificate. Install it on the repro server:

# cat > /etc/repro/ssl/domain_cert_pocock.com.au.pem << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF

  • Now edit the repro config file, /etc/repro/repro.config

# vi /etc/repro/repro.config

  • Here is a sample of the config settings:

LoggingType = syslog LogLevel = INFO LogFilename = repro.log LogFileMaxBytes = 5242880 IPAddress = 195.8.117.19 UDPPort = 0 TCPPort = 0 TLSPort = 5062 DTLSPort = 0 TLSDomainName = pocock.com.au TLSClientVerification = Mandatory TLSUseEmailAsSIP = true Transport1Interface = 195.8.117.19:5062 Transport1Type = TLS Transport1TlsDomain = pocock.com.au Transport1TlsClientVerification = Mandatory Transport1RecordRouteUri = sip:pocock.com.au;transport=TLS DNSServers = EnableIPv6 = false DisableIPv4 = false HttpPort = 5780 DisableHttpAuth = false HttpAdminPassword = admin CommandPort = 5781 RegSyncPort = 0 RegSyncPeer = Daemonize = true PidFile = /var/run/repro/repro.pid CertificatePath = /etc/repro/ssl CADirectory = /etc/ssl/certs DatabasePath = /var/lib/repro MySQLServer = db-server-name MySQLUser = repro MySQLPassword = some-password MySQLDatabaseName = repro_db MySQLPort = 3306 MySQLCustomUserAuthQuery = SELECT passwordHashAlt FROM users WHERE user = '$user' AND domain = 'pocock.com.au' EnableCertServer = false ServerText = CongestionManagement = true CongestionManagementMetric = WAIT_TIME CongestionManagementTolerance = 200 StatisticsLogInterval = 3600 ThreadedStack = true NumAuthGrabberWorkerThreads = 2 NumAsyncProcessorWorkerThreads = 2 Domains = RecordRouteUri = sip:pocock.com.au;transport=tls ForceRecordRouting = true AssumePath = false DisableRegistrar = false EnumSuffixes = e164.arpa, sip5060.net, e164.org TimerC = 180 TimerT1 = 0 DisableOutbound = false OutboundVersion = 5626 EnableFlowTokens = false ClientNatDetectionMode = DISABLED FlowTimer = 0 EnableCertificateAuthenticator = True DisableAuth = true HttpHostname = DisableIdentity = false EnablePAssertedIdentityProcessing = false DisableAuthInt = false RejectBadNonces = false AllowBadReg = false DisableRequestFilterProcessor = false RequestFilterDefaultNoMatchBehavior = RequestFilterDefaultDBErrorBehavior = 500, Server Internal DB Error RequestFilterMySQLServer = RequestFilterMySQLUser = root RequestFilterMySQLPassword = root RequestFilterMySQLDatabaseName = RequestFilterMySQLPort = 3306 Routes = ParallelForkStaticRoutes = false ContinueProcessingAfterRoutesFound = false MessageSiloEnabled = false MessageSiloDestFilterRegex = MessageSiloMimeTypeFilterRegex = application\/im\-iscomposing\+xml MessageSiloExpirationTime = 2592000 MessageSiloAddDateHeader = true MessageSiloMaxContentLength = 4096 MessageSiloSuccessStatusCode = 202 MessageSiloFilteredMimeTypeStatusCode = 200 MessageSiloFailureStatusCode = 480 RecursiveRedirect = false GeoProximityTargetSorting = false GeoProximityIPv4CityDatabaseFile = GeoLiteCity.dat GeoProximityIPv6CityDatabaseFile = GeoProximityRequestUriFilter = ^sip:mediaserver.*@mydomain.com$ GeoProximityDefaultDistance = 0 LoadBalanceEqualDistantTargets = true QValue = true QValueBehavior = EQUAL_Q_PARALLEL QValueCancelBetweenForkGroups = true QValueMsBeforeCancel = 30000 QValueWaitForTerminateBetweenForkGroups = true QValueMsBetweenForkGroups = 3000

  • Things you MUST change in the sample config file above:
* all instances of the domain pocock.com.au should be replaced with your domain
* all instances of the IP address 195.8.117.19 should be replaced with your IP address
* all the passwords (HttpAdminPassword, MySQLPassword)
* and the other MySQL settings (MySQLServer and those items below it