Hi,

All the structures you presented are valid and will work with openser (openSSL in general).
The internal validation of the exchanged certs against the trusted roots can be of several layers
(i think it is limited in openser's tls implementation, but for sure you can have at least 5 levels).
Just add the CA's public key to the trusted certs file and voila! Note that for option C you don't need
to add the root cert, just the two CA's certs.
See that the UA needs only the cert from its local proxy ... TLS is hop-by-hop, so it doesn't care about
the remote proxy.
The simplest and easiest (if it is for testing purposes i mean) to implement is option A, though if the
domains are separated/independant you most probably want something like option C (each CA
generates certs for its local users, no need to "buy" a cert for each user from a "real"
Certificate Authority, which cost money :D)

By the way ... the self-signed cert ... it will definitely work. That is the main point of open stuff, right?

Regards,

Cesc

On 10/5/05, Alexander Ph. Lintenhofer <lintenhofer@aon.at> wrote:
Hi everybody,

I want to test openser 0.10.x and its TLS capabilities. Therefore I plan
to install two proxies, sip.atlanta.com and sip.biloxi.com . Two users,
alice@atlanta.com and sip.biloxi.com, should communicate over the two
proxies secured by TLS. The UAs are snom360 phones.

-------------------              -----------------
-----------------              -----------------
| alice@atlanta.com |  <-------> | sip.atlanta.com |  <------->  |
sip.biloxi.com |  <------->  | bob@biloxi.com |
-------------------              -----------------
-----------------              -----------------

Mutual authentication should take place between the UAC and the outbound
proxy, the two proxies and between the inbound proxy and the UAS.
The problem is that I am not sure about the organisation of the
certificate's infrastructure. I don't know which would be the best
solution to implement.
So please look at my suggestions and feel free to you make your comments.

1.. user certificate for alice@atlanta.com
2.. server certificate for sip.atlanta.com
3.. server certificate for sip.biloxi.com
4.. user certificate for bob.biloxi.com
The root certificate is self signed (Does this work with openser?)


a.) One common CA (=root) signs all components.

         -----------
        |    CA     |
         -----------
         /  /  \  \
        /  /    \  \
       /   |    |   \
     ---  ---  ---  ---
     |1|  |2|  |3|  |4|
     ---  ---  ---  ---

b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual import of the other domains root certificate takes place.

     -----        -----
    |CA A |      |CA B |
     -----        -----
     /   \        /   \
    ---  ---     ---  ---
    |1|  |2|     |3|  |4|
    ---  ---     ---  ---

c.) One common root signs two CAs which sign their proxy and UA.

         -----------
        | root-cert |
         -----------
         /        \
        /          \
     -----        -----
    |CA A |      |CA B |
     -----        -----
     /   \        /   \
    ---  ---     ---  ---
    |1|  |2|     |3|  |4|
    ---  ---     ---  ---


Thank you very much for your help!

regards,
Philipp

_______________________________________________
Users mailing list
Users@openser.org
http://openser.org/cgi-bin/mailman/listinfo/users