Hi everybody,
finally the TLS proxy is up and running - just to remember what was about -> http://www.openser.org/pipermail/users/2005-September/000953.html
The configuration is quite a simple one - it accepts exclusively requests over TLS and does relay based on RURI (keeping the TLS protocol).
server info: openser.org port 5061 - SRV record is also present.
The idea is to interconnect several domains via this TLS relay. If one of the interconnected servers has to deliver a request to another domain via TLS, it has just to relay it to the TLS proxy. Note that the proxy denies any local requests.
How to do the redirect from your script? Before doing t_relay(), you may add something like: if ( uri=~".*@domain1.com" || uri=~".*@domain2.com") { avp_write("sip:openser.org;transport=tls","i:11"); avp_pushto("$duri","i:11"); } via DST_URI, the TLS protocol will be forced without affecting the RURI.
Normally this logic should be totally transparent via NAPTR lookup, but we do not have it in OpenSER yet.
Now, about the TLS part. The TLS proxy has both tls_verify and tls_require_certificate enabled. For certificates there are two ways: 1) generate your own root CA and certificate and set the CA to me to added to the proxy (tools available on CVS in tls/tools) 2) ask and I will provide a certificate signed with the proxy root CA.
TLS configuration on your side: tls_certificate="path/cert.pem" tls_private_key="path/privkey.pem" tls_ca_list="path/calist.pem" tls_verify=on tls_require_certificate=on listen=tls:xxx.xxx.xxx.xxx tls_port_no=5061
For any other additional hints about TLS, please see the tutorial http://www.openser.org/docs/tls
People interested in interconnection, please join (just let me know which way you prefer for certificates). First domain connected to the proxy is siphub.net - it's a local platform we are using.
regards, bogdan
PS: if there are people interested in testing SIP UA with TLS, let me know and I can add registrar support. Also, if somebody has ideas how to enhance the proxy config, feel free....