TLS client authentication
Last modified by DanmeiChen on 2022/01/14 12:08
- Generate a Certificate Signing Request
Creates a new private key and a certificate request.
- the sip:uri of the authenticated user account must be stored in a subject altname DNS entry of the certificate. This can be done at this step or at the signing step and is done in the openssl config file.
- Deprecated method to associate the users' sip:uri to a certificate is to store it in the subject CN: CN=sip:username@domain. It is still supported but not recommended
openssl req -new -keyout key.pem -out newreq.pem - Sign the client certificate
Creates newcert.pem certificate signed by root certificate. You will need to enter the passphrase of the cacert.pem
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
Then extract the private key in a new file
openssl rsa -in key.pem -out clientkey.pem
- Or get certificate from KeyChain
First export the certificate PCKS#12 from the KeyChain, please refer to here
Then extract the newcert.pem certificate
openssl pkcs12 -in Certificats.p12 -out newcert.pem -clcerts -nokeys
Finally extract the private key client key.pem
openssl pkcs12 -in Certificats.p12 -out clientkey.pem -nocerts -nodes
- Linphone configuration
- LinphoneCoreAuthInfoRequestedCb Callback
- During the TLS handshake, the liblinphone will try to locate the requested user certificate in the authentication info read from the config file. If no certificate is found, the lib will use the callback Auth Info Requested. This is the recommended method to set the client certificate.
- register the callback using linphone_core_cbs_set_authentication_requested
- when the callback is triggered, an auth info holding username and domain will be provided, fill it with one of these information :
- certificate and key path -> these will be stored in the config file auth_info_X sections. The callback will not be executed again.
- certificate and key(pem format in string buffers) -> these are stored in memory only, callback will trigger again when needed.
- During the TLS handshake, the liblinphone will try to locate the requested user certificate in the authentication info read from the config file. If no certificate is found, the lib will use the callback Auth Info Requested. This is the recommended method to set the client certificate.
- Auth Info in linphonerc
- store directly in the linphonerc auth_info_XXX section the username, domain, certificate and signing key path.
- Legacy method, deprecated and limited to one certificate shared by all user accounts on the client.
- In linphonerc add path to client/key certificate
[sip]
client_cert_chain=/pathTo/newcert.pem
client_cert_key=/pathTo/clientkey.pem
- In linphonerc add path to client/key certificate
- LinphoneCoreAuthInfoRequestedCb Callback