[Devel] TLS and multidomain

Cesc cesc.santa at gmail.com
Wed Sep 28 12:15:53 CEST 2005 

Hi,
 first, let me re-name the thread ... it deviated far away from the version
number stuff.
 See some comments inline ...
 On 9/27/05, Adrian Georgescu <ag at ag-projects.com> wrote:
>
> Lets imagine I call from sip:ag at ag-projects.com to sip:klaus at enum.at
>
> I imagine the following scenario would take place:
>
> 1. NAPTR record lookup to deduct the transport for enum.at<http://enum.at>domain
> 2. Let's say enum.at <http://enum.at> has tls as the preferred protocol so
> my Proxy
> rewrites the URI to sips:klaus at enum.at and lookup subsequently SRV
> _sips._tcp.enum.at

 I don't know if i would rewrite the uri ... the user did not really request
sips, just sip.
You can still use tls to route a simple sip: call ... If the user does
request sip, then it must
run on tls ... otherwise, tls between domains is just a choice made by the
provider
to offer some added value.

3. I lookup the A record for what I have chosen from the SRV record set
> 4. I make a tcp connect to remote IP:port and start negotiating TLS
>
> What certificate will my own server use? While the destination must
> first setup a connection to see any user information it can only
> offer the standard certificate of that server but my sending proxy
> knows which certificate to use (because it knows the domain of the
> caller) when initiating the TLS.
>
> So the real questions is how can we make the proxy to select a custom
> certificate when dialing out?
>
> Cesc, do you have a better insight on this?
>
As it is now, the tls code allows to set up various domains, each with its
own config.
But this domains are linked to IP:port. As you probably do not want to have
an IP:port
tuple per each possible domain you need to dial-out to ... yes, some better
feature
may be needed, which allows to set the "profile" to be changed more on the
fly when dialing
out.
Note: i have not tested the domains ... but inspecting the code, they seem
right. ;)

Let me ask a thing ... when you set up a ser serving multiple domains, do
you set one ip:port per
domain or each domain has its pair (ip:port1, ip:port2, ... )? This is very
naive, i know, but I am not into the provider business ... we run a single
domain system here :)
 Regards,
 Cesc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openser.org/pipermail/devel/attachments/20050928/8beb44b1/attachment.htm

More information about the Devel mailing list