Juha Heinanen wrote:
Klaus Darilion writes:
validate domains in certifiacte with requests domain
- If I understand correctly, this part is missing in current
- implementation
what would that check mean? proxy selects next hop proxy my manual configuration or by srv lookup on host part of request uri. then proxy can verify server certificate of the next hop proxy. i don't understand what domains have to do with this.
server verification: 1. the certificate must be valid (signed by a trusted CA) 2. The certificate should reflect the proxy I'm tryin to reach. When contacting klaus@iptel.org the proxy should not accept a certificate for foo.bar.com, but for iptel.org or sip.iptel.org
Version A:
- Validate the From: domain in the SIP request against the domain
name in the certificate.
you cannot do this, because domain of certificate has nothing to do with from domain.
Depends on the certificate. IMO the complete TLS part is crude.
regard klaus
RFC 3261; 26.3.2.2 Interdomain Requests [...atlanta calls biloxy...] The proxy server at biloxi.com SHOULD inspect the certificate of the proxy server at atlanta.com in turn and compare the domain asserted by the certificate with the "domainname" portion of the From header field in the INVITE request. The biloxi proxy MAY have a strict security policy that requires it to reject requests that do not match the administrative domain from which they have been proxied.