Re: [Users] tls_require_certificate

See inline ... On 10/9/05, *Alexander Ph. Lintenhofer* &lt;lintenhofer(a)aon.at <mailto:lintenhofer@aon.at>> wrote: Hello Cesc, Thanks for your answer! secure" setup so that your UAs can support it. I think this is not a sufficient solution. Maybe it's possible to make black- or whitelists for authentication rules in future developments (just an quick'n'dirty idea). Do you mean something like: if connecting ip:port is in white list, apply a less restrictive tls authentication (do not require peer cert) if connectin ip:port is not in white list or in black list, demand a stronger auth Is that it? Note that you can only do this lists based on ip:port, as TLS setup is previous to any sip exchange. What i really think it could work is to create a function (probably in a tls_utils module), which may allow to perform the extra verification that you could not when tls setup. I mean, you setup all tls asking for a certificate from the other peer, but do not require that it sends it. Then, from within the config file, you could use a special function and force ser to perform the extra verification on the tls (equivalent to tls_require_cert=1)

Just a thought ... With NAPTR-lookup support, the t_relay_to_tls("specific domain","specific port") function could also be serviced by t_relay(), or am I wrong? Indeed, it should work. I don't know if ser uses the lookups correctly ... t_relay should already work if your endpoint registered the contact over tls (transport=tls). For inter-proxy, either you rely on naptr or use the t_relay_to_tls.