Juha Heinanen wrote:
Klaus Darilion writes:
* validate domains in certifiacte with
requests domain
* If I understand correctly, this part is missing
in current
* implementation
what would that check mean? proxy selects next hop proxy my manual
configuration or by srv lookup on host part of request uri. then proxy
can verify server certificate of the next hop proxy. i don't understand
what domains have to do with this.
server verification:
1. the certificate must be valid (signed by a trusted CA)
2. The certificate should reflect the proxy I'm tryin to reach. When
contacting klaus(a)iptel.org the proxy should not accept a certificate for
foo.bar.com, but for
iptel.org or
sip.iptel.org
Version A:
1. Validate the From: domain in the SIP request against the domain
name in the certificate.
you cannot do this, because domain of certificate has nothing to do with
from domain.
Depends on the certificate. IMO the complete TLS part is crude.
regard
klaus
RFC 3261; 26.3.2.2 Interdomain Requests
[...atlanta calls biloxy...]
The proxy server at
biloxi.com SHOULD inspect the certificate of the
proxy server at
atlanta.com in turn and compare the domain asserted
by the certificate with the "domainname" portion of the From header
field in the INVITE request. The biloxi proxy MAY have a strict
security policy that requires it to reject requests that do not match
the administrative domain from which they have been proxied.