On 11-10-2005 15:46, Klaus Darilion wrote:
Jan Janak wrote:
On 11-10-2005 14:55, Klaus Darilion wrote:
Hi all!
I want to differ between _incoming_ SIP requests from trusted peers and from untrused (for different call routing). I came to the following solutions. All of them has some disadvantages, and I would like to now which you would prefer:
- src_ip: incoming request are authenticated using the src_ip (only in
TCP mode useful) +: easy to implement +: easy to differ authenticated from unauthenticated incoming calls -: lots of configuration (IP addresses may change, ) This can be implemented using if src_ip==... blocks in openser.cfg, which would require the change the script everytime the IP addresses are changed. Also requires restart of the proxy.
You can also use trusted table and permission module.
Right! I think this should be documented somewhere :-)
Maybe we can adopt the this function to verify the doman of the client certificate?
Client certificate ? Why ? Make sure that the client certificate is created by a trusted CA (which is known to SER) and once a request arrives over TLS then you know that the certificate was valid (provided that you enable client certificate verification).
Jan.