It doesn't seem like the wiki has public registration (makes sense) and I don't think ive seen these things elsewhere. Originally i thought i had to recompile the entire app just to get support but I just didn't realize override=true existed. While the app is partially to show off your software sdk i am sure there are some other users who still want simple client auth. Not all of this is android specific obviously, but as some parts are I put it here. Technically the client auth part likely should go under: https://wiki.linphone.org/xwiki/wiki/public/view/Linphone/TLS%20client%20authentication/ but the custom root CA I am not sure where would be best.
Custom SSL/TLS CA Certificates
By default linphone requires certificates signed by a valid CA (IE letscrypt). If you want to use your own CA for convenience (or say for client certificate auth) you must change the root_ca file. You can do this without recompiling the app by placing it in the only place the app can read by default (outside its internal files): /storage/emulated/0/Android/data/org.linphone/files. Then you can use a provisioning XML file with <entry overwrite="true" name="root_ca">/storage/emulated/0/Android/data/org.linphone/files/cafile.pem</entry> in the sip section. Note the overwrite is critical otherwise it won't accept the change. See client certificate auth below for a more complete example.
Using Client Certificate Auth
Linphone supports robust authentication and encryption with client certificate auth. To do so without recompiling the app however may not be straightforward. There is no UI to configure these variables they must be done through a provisioning xml file.
First, generate your cafile.pem client-key.pem and client-cert.pem (filenames don't matter but we will use those by default).
As the app doesn't request storage permissions by default we should store them the one place it can read but no one else /storage/emulated/0/Android/data/org.linphone/files as this location doesn't exist by default we may have to make it. Here is an example
adb shell mkdir -p /storage/emulated/0/Android/data/org.linphone/files
adb shell chmod 755 -R /storage/emulated/0/Android/data/org.linphone
adb push .\cafile.pem .\client-key.pem .\client-cert.pem /storage/emulated/0/Android/data/org.linphone/files/
while one does chmod it 755 android app permissions do stop other apps from accessing it by default.
Next you need to have your provisioning script specify these locations:
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://www.linphone.org/xsds/lpconfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.linphone.org/xsds/lpconfig.xsd lpconfig.xsd">
<section name="sip">
<entry overwrite="true" name="client_cert_chain">/storage/emulated/0/Android/data/org.linphone/files/client-cert.pem</entry>
<entry overwrite="true" name="client_cert_key">/storage/emulated/0/Android/data/org.linphone/files/client-key.pem</entry>
<entry overwrite="true" name="root_ca">/storage/emulated/0/Android/data/org.linphone/files/cafile.pem</entry>
<entry overwrite="true" name="verify_server_certs">1</entry>
<entry overwrite="true" name="verify_server_cn">1</entry>
<entry overwrite="true" name="media_encryption">SRTP</entry>
<entry overwrite="true" name="media_encryption_mandatory">1</entry>
</section>
</config>now you likely want several other items in your provisioning script to provision the accounts but this will enable client side auth with certificate validation. The media_encryption lines are not needed but if your server supports SRTP you likely want them.
It doesn't seem like the wiki has public registration (makes sense) and I don't think ive seen these things elsewhere. Originally i thought i had to recompile the entire app just to get support but I just didn't realize
override=trueexisted. While the app is partially to show off your software sdk i am sure there are some other users who still want simple client auth. Not all of this is android specific obviously, but as some parts are I put it here. Technically the client auth part likely should go under: https://wiki.linphone.org/xwiki/wiki/public/view/Linphone/TLS%20client%20authentication/ but the custom root CA I am not sure where would be best.Custom SSL/TLS CA Certificates
By default linphone requires certificates signed by a valid CA (IE letscrypt). If you want to use your own CA for convenience (or say for client certificate auth) you must change the root_ca file. You can do this without recompiling the app by placing it in the only place the app can read by default (outside its internal files):
/storage/emulated/0/Android/data/org.linphone/files. Then you can use a provisioning XML file with<entry overwrite="true" name="root_ca">/storage/emulated/0/Android/data/org.linphone/files/cafile.pem</entry>in the sip section. Note the overwrite is critical otherwise it won't accept the change. See client certificate auth below for a more complete example.Using Client Certificate Auth
Linphone supports robust authentication and encryption with client certificate auth. To do so without recompiling the app however may not be straightforward. There is no UI to configure these variables they must be done through a provisioning xml file.
First, generate your cafile.pem client-key.pem and client-cert.pem (filenames don't matter but we will use those by default).
As the app doesn't request storage permissions by default we should store them the one place it can read but no one else
/storage/emulated/0/Android/data/org.linphone/filesas this location doesn't exist by default we may have to make it. Here is an examplewhile one does chmod it 755 android app permissions do stop other apps from accessing it by default.
Next you need to have your provisioning script specify these locations:
now you likely want several other items in your provisioning script to provision the accounts but this will enable client side auth with certificate validation. The media_encryption lines are not needed but if your server supports SRTP you likely want them.