Jan Janak wrote:
Klaus,
On Tue, Oct 13, 2009 at 2:19 PM, Klaus Darilion klaus.mailinglists@pernau.at wrote:
[...] Is this still valid - that we only configure tls on IP?
"name based" TLS "domains" were supported in Kamailio core, based on an AVP set in script.
But this only works for newly established connections, right? When a connection is already established (possibly with a different SSL context or when it is initiated from the other side), the code won't change the SSL context. Do I get it right?
Hi Jan!
I can't remember anymore how I implemented it. IIRC, if the the "TLS_AVP" was set, the TLS "client" did not tried a matching "TLS domain" based on IP:port, but on the string in the AVP.
This could be used for example, to use a certain client certificate and CA-file depending on the called domain, regardless of the destination IP:port.
Yes, this worked only for outgoing connections. For incoming connections, I think the server_name extension can help a bit, but even better would be support for "trusted_ca_keys".
Regarding existing connections - I do not know, I can't remember anymore.
regards klaus