[Devel] Re: [Board] version number for next release

Adrian Georgescu ag at ag-projects.com
Tue Sep 27 18:50:37 CEST 2005 

Lets imagine I call from sip:ag at ag-projects.com to sip:klaus at enum.at

I imagine the following scenario would take place:

1. NAPTR record lookup to deduct the transport for enum.at domain
2. Let's say enum.at has tls as the preferred protocol so my Proxy  
rewrites the URI to sips:klaus at enum.at and lookup subsequently SRV  
_sips._tcp.enum.at
3. I lookup the A record for what I have chosen from the SRV record set
4. I make a tcp connect to remote IP:port and start negotiating TLS

What certificate will my own server use? While the destination must  
first setup a connection to see any user information it can only  
offer the standard certificate of that server but my sending proxy  
knows which certificate to use (because it knows the domain of the  
caller) when initiating the TLS.

So the real questions is how can we make the proxy to select a custom  
certificate when dialing out?

Cesc, do you have a better insight on this?

Regards,
Adrian

On Sep 27, 2005, at 2:54 PM, Klaus Darilion wrote:


> Adrian Georgescu wrote:
>
>
>> Hi everybody,
>> I am personally very interested in developing security related   
>> features for OpenSER. I plan to move to OpenSER in November, we  
>> are  still running 8.14 in production, and enable TLS for inter- 
>> domain  routing right away.
>> I think all of us have a SIP server that can be used to create a  
>> mesh  for TLS enabled domains so that we can get some real  
>> experiences and  produce a best practices document based on it.
>> My requirements at this initial stage are:
>> 1. Investigate how TLS can be used in a multi-domain environment
>>
>
> Is this possible at all? A workaround would be a dedicated IP  
> address for domain and a dedicated openser process for each IP  
> address with the corresponding certificate.
>
> klaus
>
>> 2. As TLS is on a hop by hop basis I would like to have proper  
>> DNS  lookups  to change the transport based on destination domain
>> I see a major impact on performance by using TLS to the UA side   
>> because of the use of TCP and the certificate negotiation, I am   
>> wondering what we will bump into once we start using TLS.
>> Regards,
>> Adrian

More information about the Devel mailing list