[Devel] [Users] TLS setup
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Mon Oct 10 20:41:16 CEST 2005
Klaus Darilion wrote:
> Juha Heinanen wrote:
>
>> since tls connection is setup BEFORE any sip requests are sent, i guess
>> the proxy (even if it had one certificate per domain) could not know
>> which server certificate to advertise to the client.
>> on the other hand, when proxy is relaying a request, it does know for
>> which domain it is doing it and thus could use client certificate of
>> that domain.
>>
>> what is the conclusion of this? only generate one server/client
>> certificate for the proxy even if it serves multiple domains?
>
>
> AFAIK it is possible to add domains to the Subject Alternative Field.
> But I'm not sure if this is the intended usage of this field. Another
> problem is that you would have to change the certificate everytime a
> domain is added/removed.
>
> Subdomains can be handled using wildcard domains: "*.sipproxy.com"
>
> Another solution would be to use a dedicated port for each domain. Is
> openser capeable of using the proper port for sending the request?
if you use force_sent_socket() (see
http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=81d760b6def892b91385e23113151993#force_send_socket_protoaddress_port)
it should work.
regards,
bogdan
More information about the Devel
mailing list