[Devel] Re: [Board] version number for next release
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Sep 28 12:10:47 CEST 2005
Adrian Georgescu wrote:
> Lets imagine I call from sip:ag at ag-projects.com to sip:klaus at enum.at
>
> I imagine the following scenario would take place:
>
> 1. NAPTR record lookup to deduct the transport for enum.at domain
> 2. Let's say enum.at has tls as the preferred protocol so my Proxy
> rewrites the URI to sips:klaus at enum.at and lookup subsequently SRV
> _sips._tcp.enum.at
No. I think the proxy must not change the URI scheme, as this would
require TLS end2end, and we only want TLS between the proxies. Thus, the
URI is still sip:klaus at enum.at, but the proxy will use SRV
_sips._tcp.enum.at
regards
klaus
> 3. I lookup the A record for what I have chosen from the SRV record set
> 4. I make a tcp connect to remote IP:port and start negotiating TLS
>
> What certificate will my own server use? While the destination must
> first setup a connection to see any user information it can only offer
> the standard certificate of that server but my sending proxy knows
> which certificate to use (because it knows the domain of the caller)
> when initiating the TLS.
>
> So the real questions is how can we make the proxy to select a custom
> certificate when dialing out?
>
> Cesc, do you have a better insight on this?
>
> Regards,
> Adrian
>
> On Sep 27, 2005, at 2:54 PM, Klaus Darilion wrote:
>
>
>> Adrian Georgescu wrote:
>>
>>
>>> Hi everybody,
>>> I am personally very interested in developing security related
>>> features for OpenSER. I plan to move to OpenSER in November, we are
>>> still running 8.14 in production, and enable TLS for inter- domain
>>> routing right away.
>>> I think all of us have a SIP server that can be used to create a
>>> mesh for TLS enabled domains so that we can get some real
>>> experiences and produce a best practices document based on it.
>>> My requirements at this initial stage are:
>>> 1. Investigate how TLS can be used in a multi-domain environment
>>>
>>
>> Is this possible at all? A workaround would be a dedicated IP address
>> for domain and a dedicated openser process for each IP address with
>> the corresponding certificate.
>>
>> klaus
>>
>>> 2. As TLS is on a hop by hop basis I would like to have proper DNS
>>> lookups to change the transport based on destination domain
>>> I see a major impact on performance by using TLS to the UA side
>>> because of the use of TCP and the certificate negotiation, I am
>>> wondering what we will bump into once we start using TLS.
>>> Regards,
>>> Adrian
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>
>
More information about the Devel
mailing list