Greger V. Teigre writes:
I haven't read the RFC you are referring to, but in a proxy-proxy scenario, do you really validate against an uri? Shouldn't you validate the server and not the actual requests? (If the proxy is relaying on behalf of others) Also, whether you want to accept a request to another domain is not really on TLS level is it?
i'm not a TLS expert either, but i have been wondering if a proxy serving multiple domains would need to have a client/server certificate for each. i hope not.
in klaus' example, srv query on
_sips._tcp.example.com.
could return a server name in a domain foo.com. in proxy-to-proxy scenario, it should suffice that both proxies have certificates for the proxy hosts themselves and they don't need to have anything to do with the domains in the uris of sip requests.
-- juha