[Devel] [Users] TLS setup
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Oct 10 09:56:17 CEST 2005
Juha Heinanen wrote:
> since tls connection is setup BEFORE any sip requests are sent, i guess
> the proxy (even if it had one certificate per domain) could not know
> which server certificate to advertise to the client.
>
> on the other hand, when proxy is relaying a request, it does know for
> which domain it is doing it and thus could use client certificate of
> that domain.
>
> what is the conclusion of this? only generate one server/client
> certificate for the proxy even if it serves multiple domains?
AFAIK it is possible to add domains to the Subject Alternative Field.
But I'm not sure if this is the intended usage of this field. Another
problem is that you would have to change the certificate everytime a
domain is added/removed.
Subdomains can be handled using wildcard domains: "*.sipproxy.com"
Another solution would be to use a dedicated port for each domain. Is
openser capeable of using the proper port for sending the request?
regards
klaus
More information about the Devel
mailing list