9 Oct
2005
9 Oct
'05
7:03 p.m.
See inline ...
On 10/9/05, Alexander Ph. Lintenhofer <lintenhofer(a)aon.at> wrote:
Hello Cesc,
Thanks for your answer!
Do you mean something like:
if connecting ip:port is in white list, apply a less restrictive tls
authentication (do not require peer cert)
if connectin ip:port is not in white list or in black list, demand a
stronger auth
Is that it?
Note that you can only do this lists based on ip:port, as TLS setup is
previous to any sip exchange.
What i really think it could work is to create a function (probably in a
tls_utils module), which may allow to perform the extra verification that
you could not when tls setup.
I mean, you setup all tls asking for a certificate from the other peer, but
do not require that it sends it. Then, from within the config file, you
could use a special function and force ser to perform the extra verification
on the tls (equivalent to tls_require_cert=1)
Just a thought ...
With NAPTR-lookup support, the t_relay_to_tls("specific
If you want just one setup, then you are forced to
use the "less
secure" setup so that your UAs can support it.
I think this is not a sufficient solution. Maybe it's possible to make
black- or whitelists for authentication rules in future developments
(just an quick'n'dirty idea). domain","specific port") function could
also be serviced by t_relay(),
or am I wrong?
Indeed, it should work. I don't know if ser uses the lookups correctly ...
t_relay should already work if your endpoint registered the contact over tls
(transport=tls).
For inter-proxy, either you rely on naptr or use the t_relay_to_tls.
Regards,
Cesc