27 Mar
2006
27 Mar
'06
9:25 a.m.
Joao Pereira wrote:
Hello
You have to download the CA certificate from the CA.
Then during handshake the peer proxy provides the certificate (signed by
the CA). This certificate will be verified using the previously
downloaded CA cert.
regards
klaus
If you want to use TLS to authenticate servers,
then the verifying
server must import the root CA which signed the peer's
certificate.
Ok, but if you call me, where is my server going to download the
certificate that signed your server ? From a central Certification
Authority?
One other thing: does OpenSER supports 1024 bits certificates? or just
512 bits?
Thanks
Joao Pereira
Klaus Darilion wrote:
Joao Pereira wrote:
Hello
I m trying to implement an OpenSER with TLS, and I think the idea is
very good and very well explained in the manual (
http://openser.org/docs/tls.html#AEN50 ).
But can the OpenSER servers negotiate the certificates in real time?
Not sure what you mean. The configuration is static and read once
during startup. Thus, changing the TLS configuration (add CA certs,
...) requires a reboot of openser.
Can this trusting scheme be dynamic?
or every server needs to have a list of
domains?
The list of domains is supposed to be centralized, like a rootCA?
Then all our SIP servers must use the same rootCA?
If you want to use TLS to authenticate servers, then the verifying
server must import the root CA which signed the peer's certificate.
regards
klaus