[Devel] Re: [Board] version number for next release
Adrian Georgescu
ag at ag-projects.com
Tue Sep 27 18:50:37 CEST 2005
Lets imagine I call from sip:ag at ag-projects.com to sip:klaus at enum.at
I imagine the following scenario would take place:
1. NAPTR record lookup to deduct the transport for enum.at domain
2. Let's say enum.at has tls as the preferred protocol so my Proxy
rewrites the URI to sips:klaus at enum.at and lookup subsequently SRV
_sips._tcp.enum.at
3. I lookup the A record for what I have chosen from the SRV record set
4. I make a tcp connect to remote IP:port and start negotiating TLS
What certificate will my own server use? While the destination must
first setup a connection to see any user information it can only
offer the standard certificate of that server but my sending proxy
knows which certificate to use (because it knows the domain of the
caller) when initiating the TLS.
So the real questions is how can we make the proxy to select a custom
certificate when dialing out?
Cesc, do you have a better insight on this?
Regards,
Adrian
On Sep 27, 2005, at 2:54 PM, Klaus Darilion wrote:
> Adrian Georgescu wrote:
>
>
>> Hi everybody,
>> I am personally very interested in developing security related
>> features for OpenSER. I plan to move to OpenSER in November, we
>> are still running 8.14 in production, and enable TLS for inter-
>> domain routing right away.
>> I think all of us have a SIP server that can be used to create a
>> mesh for TLS enabled domains so that we can get some real
>> experiences and produce a best practices document based on it.
>> My requirements at this initial stage are:
>> 1. Investigate how TLS can be used in a multi-domain environment
>>
>
> Is this possible at all? A workaround would be a dedicated IP
> address for domain and a dedicated openser process for each IP
> address with the corresponding certificate.
>
> klaus
>
>> 2. As TLS is on a hop by hop basis I would like to have proper
>> DNS lookups to change the transport based on destination domain
>> I see a major impact on performance by using TLS to the UA side
>> because of the use of TCP and the certificate negotiation, I am
>> wondering what we will bump into once we start using TLS.
>> Regards,
>> Adrian
More information about the Devel
mailing list