Alejandro Vazquez <avazquez....@gmail.com> writes: > El mié, 7 ago 2024 a las 13:49, Greg Troxel (<g...@lexort.com>) escribió: >> >> Alejandro Vazquez <avazquez....@gmail.com> writes: >> >> > I am using the latest release of Linphone for desktop on Linux and >> > have a question regarding the use of TLS for making direct calls >> > within the same LAN network. I’ve successfully tested UDP and TCP >> > transport protocols, but I’m encountering issues with TLS. >> > >> > To perform the test, I open the Linphone application, and in the >> > search box, I specify the address and protocol as follows: >> > sip:sip@192.168.0.155;transport=[tls|tcp|udp]. >> > >> > Is it possible to use TLS for direct calls on a LAN network with >> > Linphone? If so, are there specific configurations or considerations I >> > should be aware of to get TLS working correctly in this environment? >> >> You left out the part where you described >> >> - the certificates you have for each computer >> - whether they are valid under normal pkix validation rules >> - if not, how you configured custom trust anchors >> - how you are installing certificates and keys for linphone to use >> - how you configured linphone to listen on tls/5061 >> >> - what kind of certificate and key management doctrine allows users to >> have access to system certificates > > The reason I omitted those details is because I was not aware of them. > My initial question arose precisely because I couldn't find clear > information on whether it was possible to make direct calls using TLS > in Linphone within a LAN network.
I suspect that's because as a client, linphone doesn't care if the call is direct or not. It's going to take the name, resolve it, connect, and the TLS library is going to do standard validation. As a server, if the documentation doesn't explain how to configure a server certificate for the client, it's probably because it doesn't support that. > I would like to continue exploring the topic of direct calls using > TLS. Could you please indicate if there is documentation available on > this subject? I am not aware of any. You are likely doing something new, and really undertanding TLS, including certificates and PKIX validation rules is in my view necessary background. https://www.rfc-editor.org/rfc/rfc5280 But before you worry about linphone, I would suggest setting up each computer with a webserver configured for TLS, with a certificate, and be able to view those pages *without clicking through security warnings* from the other computers. You will find that you need to decide on what name will be used, how to get certificates issued for that name, and whether those certificates are pkix-valid, or whether you used a private CA. And if so, how to configure that private CA as a trust anchor. After you do that, your remainining steps are: - Read the linphone sources and see if there is TLS server support. If not, add it. - If you used a private CA, read the linphone sources to understand how certificate validation is done. Specifically if it respects system trust anchor configuration. Perhaps extend it to enable private CAs. If what I wrote doesn't make sense (as opposed to you being pretty sure I made an error, which is possible), then you'll need to learn TLS first. That's not about linphone. _______________________________________________ Linphone-users mailing list Linphone-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/linphone-users
