Hi,<br>
<br>
All the structures you presented are valid and will work with openser (openSSL in general). <br>
The internal validation of the exchanged certs against the trusted roots can be of several layers<br>
(i think it is limited in openser's tls implementation, but for sure you can have at least 5 levels).<br>
Just add the CA's public key to the trusted certs file and voila! Note that for option C you don't need<br>
to add the root cert, just the two CA's certs. <br>
See that the UA needs only the cert from its local proxy ... TLS is hop-by-hop, so it doesn't care about<br>
the remote proxy.<br>
The simplest and easiest (if it is for testing purposes i mean) to implement is option A, though if the<br>
domains are separated/independant you most probably want something like option C (each CA <br>
generates certs for its local users, no need to "buy" a cert for each user from a "real" <br>
Certificate Authority, which cost money :D) <br><br>
By the way ... the self-signed cert ... it will definitely work. That is the main point of open stuff, right?<br>
<br>
Regards,<br>
<br>
Cesc<br>
<br><div><span class="gmail_quote">On 10/5/05, <b class="gmail_sendername">Alexander Ph. Lintenhofer</b> <<a href="mailto:lintenhofer@aon.at">lintenhofer@aon.at</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi everybody,<br><br>I want to test openser 0.10.x and its TLS capabilities. Therefore I plan<br>to install two proxies, <a href="http://sip.atlanta.com">sip.atlanta.com</a> and <a href="http://sip.biloxi.com">sip.biloxi.com
</a>. Two users,<br><a href="mailto:alice@atlanta.com">alice@atlanta.com</a> and <a href="http://sip.biloxi.com">sip.biloxi.com</a>, should communicate over the two<br>proxies secured by TLS. The UAs are snom360 phones.<br>
<br> ------------------- -----------------<br>----------------- -----------------<br>| <a href="mailto:alice@atlanta.com">alice@atlanta.com</a> | <-------> | <a href="http://sip.atlanta.com">
sip.atlanta.com</a> | <-------> |<br><a href="http://sip.biloxi.com">sip.biloxi.com</a> | <-------> | <a href="mailto:bob@biloxi.com">bob@biloxi.com</a> |<br> ------------------- -----------------
<br>----------------- -----------------<br><br>Mutual authentication should take place between the UAC and the outbound<br>proxy, the two proxies and between the inbound proxy and the UAS.<br>The problem is that I am not sure about the organisation of the
<br>certificate's infrastructure. I don't know which would be the best<br>solution to implement.<br>So please look at my suggestions and feel free to you make your comments.<br><br>1.. user certificate for <a href="mailto:alice@atlanta.com">
alice@atlanta.com</a><br>2.. server certificate for <a href="http://sip.atlanta.com">sip.atlanta.com</a><br>3.. server certificate for <a href="http://sip.biloxi.com">sip.biloxi.com</a><br>4.. user certificate for <a href="http://bob.biloxi.com">
bob.biloxi.com</a><br>The root certificate is self signed (Does this work with openser?)<br><br><br>a.) One common CA (=root) signs all components.<br><br> -----------<br> | CA |<br> -----------
<br> / / \ \<br> / / \ \<br> / | | \<br> --- --- --- ---<br> |1| |2| |3| |4|<br> --- --- --- ---<br><br>b.)
Tow separate CAs (= each one's root) sign their proxy and UA. Mutual
import of the other domains root certificate takes place.<br><br> ----- -----<br> |CA A | |CA B |<br> ----- -----<br> / \ / \<br> --- --- --- ---<br> |1| |2| |3| |4|
<br> --- --- --- ---<br><br>c.) One common root signs two CAs which sign their proxy and UA.<br><br> -----------<br> | root-cert |<br> -----------<br> / \<br> / \
<br> ----- -----<br> |CA A | |CA B |<br> ----- -----<br> / \ / \<br> --- --- --- ---<br> |1| |2| |3| |4|<br> --- --- --- ---<br><br><br>Thank you very much for your help!
<br><br>regards,<br>Philipp<br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@openser.org">Users@openser.org</a><br><a href="http://openser.org/cgi-bin/mailman/listinfo/users">
http://openser.org/cgi-bin/mailman/listinfo/users</a><br></blockquote></div><br>