Úvod
OpenIMSCore poskytuje možnosť šifrovanej komunikácie prostredníctvom TLS. TLS sa aktivuje konfiguráciou P-CSCF. P-CSCF umožňuje šifrované spojenie (TLS) cez rozhranie Gm. P-CSCF musí poskytovať platný certifikát. TLS User Endpoint nemusí mať platný certifikát.
Protokol Transport Layer Security (TLS) poskytuje možnosti na zabezpečenie komunikácie na Internete. TLS poskytuje koncový bod overovania a komunikácia utajenie cez internet pomocou šifrovania.
Inštalácia OpenSSL
apt-get install openssl apt-get install liblwt-ssl-ocaml-dev
Remake ser_ims
cd /usr/src/openimscore //zdrojový adresár make all include_modules=tls
V /usr/src/openimscore/modules/tls by sa mal nachádzať súbor tls.so. Cestu k tomuto súboru je treba nastaviť v /etc/openimscore/pcscf.cfg. Napríklad vytvorením symbolického odkazu na súbor /usr/lib/ser/modules/tls.so.
ln –s /usr/lib/ser/modules/tls.so /usr/lib/ser/modules/tls.so
Odkomentovať v /etc/openimscore/pcscf.cfg nasledovne riadky, kde je v poznamke #Uncomment here to enable TLS respektíve zakomentovať tie kde je #Comment here to enable TLS.
# Uncomment here to enable TLS listen=tls:127.0.0.1 tls_port_no=4061 enable_tls=yes ... # Comment here to enable TLS! #modparam("pcscf","use_tls",0) ... # Uncomment here to enable TLS! modparam("pcscf","use_tls",1) modparam("pcscf","tls_port",4061) ... # Uncomment here to enable TLS loadmodule "/usr/lib/ser/modules/tls.so" # cesta k modulu (1) modparam("tls", "tls_method", "TLSv1") modparam("tls", "private_key", "/opt/OpenIMSCore/PCSCF_CA2/pcscf_private_key.pem") modparam("tls", "certificate", "/opt/OpenIMSCore/PCSCF_CA2/pcscf_cert.pem") modparam("tls", "ca_list", "/opt/OpenIMSCore/PCSCF_CA2/pcscf_ca_list.pem") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls","tls_disable_compression", 1)
Vytvorenie certifikatov
Vslastné certifikáty sa dajú generovať skriptom, ktorý sa nachádza v zdrojovom adresári u mňa /usr/src/openimscore/cfg/tls_prepare.sh. Editovaním premennej DIR skriptu, zmeníme adresár kam sa budú certifikáty generovať.
DIR="/opt/OpenIMSCore" DIR_NAME="PCSCF_CA2" cd $DIR echo Creating CA certificate echo ----------------------- echo 1. create CA dir mkdir $DIR_NAME cd $DIR_NAME ...
Po spustení skriptu vyplníme zopár údajov:
dôležité je: Common Name (eg, YOUR name) []: pcscf.operator-d.local
Creating CA certificate ----------------------- 1. create CA dir 2. create ca dir structure and files (see ca(1)) 2. create CA private key Generating RSA private key, 2048 bit long modulus .................................+++ .......................+++ e is 65537 (0x10001) 3. create CA self-signed certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Zilina Locality Name (eg, city) []:Zilina Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Zilina Organizational Unit Name (eg, section) []:Katedra Common Name (eg, YOUR name) []:pcscf.operator-d.local Email Address []:medvedik@gmail.com Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) WARNING: the organization name should be the same as in the ca certificate. Generating a 1024 bit RSA private key .....++++++ ..............++++++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Zilina Locality Name (eg, city) []:Zilina Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Zilina Organizational Unit Name (eg, section) []:Katedra Common Name (eg, YOUR name) []:pcscf.operator-d.local Email Address []:medvedik@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:medvedik An optional company name []:pcscf.operator-d.local 2. sign it with the ca certificate Using configuration from /usr/lib/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 13 09:58:15 2011 GMT Not After : May 12 09:58:15 2012 GMT Subject: countryName = SK stateOrProvinceName = Zilina organizationName = University of Zilina organizationalUnitName = Katedra commonName = pcscf.operator-d.local emailAddress = medvedik@gmail.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 46:57:52:AE:0B:1C:85:8D:05:D2:E2:5D:DB:C9:BD:42:FD:46:D1:AB X509v3 Authority Key Identifier: keyid:A1:FE:E4:B6:43:48:FF:6C:4B:EB:D3:2B:CF:0E:E7:9E:73:09:09:3C Certificate is to be certified until May 12 09:58:15 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Setting ser to use the certificate ---------------------------------- 1. create the ca list file: for each of your ca certificates that you intend to use do:
Nastavenie cesty k certifikátom
Upravenie /etc/openimscore/pcscf.cfg nastavenie cesty k súborom ktoré sme vygenerovali skriptom v tls_prepare.sh
modparam("tls", "tls_method", "TLSv1") modparam("tls","private_key", "/opt/OpenIMSCore/PCSCF_CA/pcscf_private_key.pem) modparam("tls","certificate", "/opt/OpenIMSCore/PCSCF_CA/pcscf_cert.pem") modparam("tls", "ca_list","/opt/OpenIMSCore/PCSCF_CA/pcscf_ca_list.pem") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls","tls_disable_compression", 1)
Reštartovanie pcscf servera
Výpis z logu, keď sa spustil pcscf s TLS. # # Launch pcscf - Thu May 12 16:36:08 CEST 2011 # Listening on udp: 158.193.139.95 [158.193.139.95]:4060 tcp: 158.193.139.95 [158.193.139.95]:4060 tls: 158.193.139.95 [158.193.139.95]:4061 Aliases: *: pcscf.operator-d.local:4060
Záver
Po splnení všetkých konfiguračných krokov, sa nám nepodarilo TLS v OpenIMSCore otestovať, pretože IMS klient (Boghe_1.0.58.550 ) vo verzií s ktorou sme pracovali nemal implementovanú podporu TLS. Podpora TLS pre tohto klienta je plánovaná v ďalšej release verzií.