Hello I m trying to implement an OpenSER with TLS, and I think the idea is very good and very well explained in the manual ( http://openser.org/docs/tls.html#AEN50 ).
But can the OpenSER servers negotiate the certificates in real time? Can this trusting scheme be dynamic? or every server needs to have a list of domains?
The list of domains is supposed to be centralized, like a rootCA? Then all our SIP servers must use the same rootCA?
Thanks Joao Pereira
Joao Pereira wrote:
Hello I m trying to implement an OpenSER with TLS, and I think the idea is very good and very well explained in the manual ( http://openser.org/docs/tls.html#AEN50 ).
But can the OpenSER servers negotiate the certificates in real time?
Not sure what you mean. The configuration is static and read once during startup. Thus, changing the TLS configuration (add CA certs, ...) requires a reboot of openser.
Can this trusting scheme be dynamic? or every server needs to have a list of domains?
The list of domains is supposed to be centralized, like a rootCA? Then all our SIP servers must use the same rootCA?
If you want to use TLS to authenticate servers, then the verifying server must import the root CA which signed the peer's certificate.
regards klaus
Hello
If you want to use TLS to authenticate servers, then the verifying
server must import the root CA which signed the peer's certificate.
Ok, but if you call me, where is my server going to download the certificate that signed your server ? From a central Certification Authority?
One other thing: does OpenSER supports 1024 bits certificates? or just 512 bits?
Thanks Joao Pereira
Klaus Darilion wrote:
Joao Pereira wrote:
Hello I m trying to implement an OpenSER with TLS, and I think the idea is very good and very well explained in the manual ( http://openser.org/docs/tls.html#AEN50 ).
But can the OpenSER servers negotiate the certificates in real time?
Not sure what you mean. The configuration is static and read once during startup. Thus, changing the TLS configuration (add CA certs, ...) requires a reboot of openser.
Can this trusting scheme be dynamic? or every server needs to have a list of
domains?
The list of domains is supposed to be centralized, like a rootCA? Then all our SIP servers must use the same rootCA?
If you want to use TLS to authenticate servers, then the verifying server must import the root CA which signed the peer's certificate.
regards klaus
Joao Pereira wrote:
Hello
If you want to use TLS to authenticate servers, then the verifying
server must import the root CA which signed the peer's certificate.
Ok, but if you call me, where is my server going to download the certificate that signed your server ? From a central Certification Authority?
You have to download the CA certificate from the CA.
Then during handshake the peer proxy provides the certificate (signed by the CA). This certificate will be verified using the previously downloaded CA cert.
regards klaus
One other thing: does OpenSER supports 1024 bits certificates? or just 512 bits?
Thanks Joao Pereira
Klaus Darilion wrote:
Joao Pereira wrote:
Hello I m trying to implement an OpenSER with TLS, and I think the idea is very good and very well explained in the manual ( http://openser.org/docs/tls.html#AEN50 ).
But can the OpenSER servers negotiate the certificates in real time?
Not sure what you mean. The configuration is static and read once during startup. Thus, changing the TLS configuration (add CA certs, ...) requires a reboot of openser.
Can this trusting scheme be dynamic? or every server needs to have a list of
domains?
The list of domains is supposed to be centralized, like a rootCA? Then all our SIP servers must use the same rootCA?
If you want to use TLS to authenticate servers, then the verifying server must import the root CA which signed the peer's certificate.
regards klaus
-
Joao Pereira -
Klaus Darilion