[Devel] Re: [Board] version number for next release

Klaus Darilion klaus.mailinglists at pernau.at
Wed Sep 28 12:10:47 CEST 2005 

Adrian Georgescu wrote:
> Lets imagine I call from sip:ag at ag-projects.com to sip:klaus at enum.at
> 
> I imagine the following scenario would take place:
> 
> 1. NAPTR record lookup to deduct the transport for enum.at domain
> 2. Let's say enum.at has tls as the preferred protocol so my Proxy  
> rewrites the URI to sips:klaus at enum.at and lookup subsequently SRV  
> _sips._tcp.enum.at

No. I think the proxy must not change the URI scheme, as this would 
require TLS end2end, and we only want TLS between the proxies. Thus, the 
URI is still sip:klaus at enum.at, but the proxy will use SRV 
_sips._tcp.enum.at

regards
klaus

> 3. I lookup the A record for what I have chosen from the SRV record set
> 4. I make a tcp connect to remote IP:port and start negotiating TLS
> 
> What certificate will my own server use? While the destination must  
> first setup a connection to see any user information it can only  offer 
> the standard certificate of that server but my sending proxy  knows 
> which certificate to use (because it knows the domain of the  caller) 
> when initiating the TLS.
> 
> So the real questions is how can we make the proxy to select a custom  
> certificate when dialing out?
> 
> Cesc, do you have a better insight on this?
> 
> Regards,
> Adrian
> 
> On Sep 27, 2005, at 2:54 PM, Klaus Darilion wrote:
> 
> 
>> Adrian Georgescu wrote:
>>
>>
>>> Hi everybody,
>>> I am personally very interested in developing security related   
>>> features for OpenSER. I plan to move to OpenSER in November, we  are  
>>> still running 8.14 in production, and enable TLS for inter- domain  
>>> routing right away.
>>> I think all of us have a SIP server that can be used to create a  
>>> mesh  for TLS enabled domains so that we can get some real  
>>> experiences and  produce a best practices document based on it.
>>> My requirements at this initial stage are:
>>> 1. Investigate how TLS can be used in a multi-domain environment
>>>
>>
>> Is this possible at all? A workaround would be a dedicated IP  address 
>> for domain and a dedicated openser process for each IP  address with 
>> the corresponding certificate.
>>
>> klaus
>>
>>> 2. As TLS is on a hop by hop basis I would like to have proper  DNS  
>>> lookups  to change the transport based on destination domain
>>> I see a major impact on performance by using TLS to the UA side   
>>> because of the use of TCP and the certificate negotiation, I am   
>>> wondering what we will bump into once we start using TLS.
>>> Regards,
>>> Adrian
> 
> 
> 
> 
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
> 
>

More information about the Devel mailing list