Hi Alexander,<br>
<br>
That is a very good question. <br>
An option you have is to use <br>
tls_verify=1<br>
tls_require_cert=0<br>
This will make ser to request a certificate from the other peer, but if
the peer does not send one the TLS handshake will still succeed.<br>
<br>
This is from the readme file:<br>
=====================================================================<br>
* How does verification work?<br>
Verification is the process by which the authentication data provided<br>
by the peers is checked. This data consists usually of a peer certificate,<br>
plus a chain of trusted certification authorities.<br>
If for whatever reason, either of the peers thinks<br>
that the handshake is not valid, the ssl connection is not established.<br>
The reasons could be many: untrusted server certficate, too-weak algorithm,<br>
invalid client cert, no client authentication, ...<br>
<br>
The "tls_verify" and "tls_require_certificate" are SER-names for the<br>
OpenSSL defined flags SSL_VERIFY_PEER (tls_verify) and<br>
SSL_VERIFY_FAIL_IF_NO_PEER_CERT (tls_require_certificate).<br>
tls_require_certificate is only used if tls_verify=1.<br>
<br>
If we are acting as a server, we always send our server-side certificate<br>
to the client.<br>
- If tls_verify=0, we do not request the client a<br>
client-certificate. This means that the client is not authenticated.<br>
- If tls_verify=1, we (the server) send a client-certificate request to<br>
the client. But the client is free to not provide any. In this case,<br>
tls_require_certificate comes into play:<br>
_ if tls_require_cert=0, the verification process will succedd if<br>
the client does not provide a certificate, or if it provides<br>
one, it verifies correctly against the server's list of<br>
trusted certification authorities.<br>
_ if tls_require_cert=1, the verification process will only succeed<br>
if the client provides a certificate and this verifies correctly<br>
against the server's list of trusted CAs.<br>
<br>
=====================================================================<br>
<br>
Now, another option:<br>
Create two different domains, one for UAs, the other for inter-proxy connection. <br>
This way, on the UA domain you can be more lax in the settings
(tls_verify=1, tls_require_cert=0), whereas in the inter-proxy domain
you can force certs (tls_verify=1, tls_require_cert=1).<br>
<br>
I guess this you probably don't want to do. If you want just one setup,
then you are forced to use the "less secure" setup so that your UAs can
support it.<br>
<br>
Hope it helps,<br>
<br>
Cesc<br>
<br>
<br>
<br>
<br><div><span class="gmail_quote">On 10/8/05, <b class="gmail_sendername">Alexander Ph. Lintenhofer</b> <<a href="mailto:lintenhofer@aon.at">lintenhofer@aon.at</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi there,<br><br>I have a question concerning TLS in openser:<br><br>By switching tls_require_certificate to "on", the peer is forced to send<br>his certificate for means of mutual authentication.<br><br>My problem is, that the peer may be another proxy server whom I want to
<br>authenticate with its cert - but the peer might also be an user agent.<br>In my situation I use a Snom 360 which has not the possibility to import<br>an own user-certificate (only a CA-cert for verifying server-certs).
<br><br>
-----------
----------<br>---------<br>| snom 360 | <------ TLS -------> | outbound | <----- TLS -----> |<br>inbound |<br> ----------- server sends cert ---------- mutual AUTH<br>---------<br><br><br>But when I activate tls_require_certificate=on in the
openser.cfg of the<br>outbound proxy, the snom360 can't register, because it has no user-cert.<br>On the other hand, when I disable tls_require_certificate, the snom can<br>register, but the security between the proxies is weak.
<br><br>Is there an appropriate solution for this problem ?? Maybe I didn't<br>understand the sample configuration at all....<br><br>Thanks in advance and regards,<br><br>Philipp<br><br><br>_______________________________________________
<br>Users mailing list<br><a href="mailto:Users@openser.org">Users@openser.org</a><br><a href="http://openser.org/cgi-bin/mailman/listinfo/users">http://openser.org/cgi-bin/mailman/listinfo/users</a><br></blockquote></div>
<br>