[asterisk-users] OT: certificate for softphone
Hans Witvliet
hwit at a-domani.nl
Wed Nov 10 14:48:03 CST 2010
On Wed, 2010-11-10 at 08:38 +0100, Olle E. Johansson wrote:
> 6 nov 2010 kl. 15.30 skrev Hans Witvliet:
>
> > Hi all,
> >
> > As stated in the subject, slightly off-topic, as it is not directly a
> > Asterisk issue, but more SIP in general
> >
> > Because security in general, and specifically identification becomes
> > more and more a subject for more concern, and Asterisk is capable of
> > doing sip/TLS, i was wondering what more could be done to improve
> > security.
> >
> > Specially softphones, might it be possible to employ etokens or
> > smartcards for holding the certificates needed by TLS?
> >
> > Done before?
>
> In the SIP protocol there is support for TLS client certificates, much like in HTTP.
>
> Asterisk doesn't support it. You need to put a SIP proxy like Kamailio in front of Asterisk to get this kind of strong authentication.
>
> /O
Am i that mistaken?
I got the impression** that sip-registration of a phone could be done in
the same way as client-authentication on apache:
On the server-side you got the certificate holding your public key which
is signed by a trusted third party (the CA), while you hold your private
key on a smartcard or token. If you start your browser you are prompted
for your pin-code.
I was just hoping that there would be a softphone that could work the
same way, two-factor authentication.
Hans
**
http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/
http://www.sipring.ru/overview/func-asterisk/100-asterisk-tls-transport.html
More information about the asterisk-users
mailing list