[Devel] naptr and tls based routing

[Daniel-Constantin Mierla]

Hello,

I have changed the subject to be more suggestive (It was: Re: [Devel] 
Re: [Board] version number for next release).

On 09/28/05 13:10, Klaus Darilion wrote:

> Adrian Georgescu wrote:
>
>> Lets imagine I call from sip:ag at ag-projects.com to sip:klaus at enum.at
>>
>> I imagine the following scenario would take place:
>>
>> 1. NAPTR record lookup to deduct the transport for enum.at domain
>> 2. Let's say enum.at has tls as the preferred protocol so my Proxy  
>> rewrites the URI to sips:klaus at enum.at and lookup subsequently SRV  
>> _sips._tcp.enum.at
>
>
> No. I think the proxy must not change the URI scheme, as this would 
> require TLS end2end, and we only want TLS between the proxies. Thus, 
> the URI is still sip:klaus at enum.at, but the proxy will use SRV 
> _sips._tcp.enum.at

If I am not wrong, the RFC states that the request having a sips uri can 
be forwarded over non-tls to the last hop, if the server considers that 
is a safe environment.

Anyhow, for interdomain TLS communication, what Klaus says seems logical 
for me.

Cheers,
Daniel

>
>
> regards
> klaus
>
>> 3. I lookup the A record for what I have chosen from the SRV record set
>> 4. I make a tcp connect to remote IP:port and start negotiating TLS
>>
>> What certificate will my own server use? While the destination must  
>> first setup a connection to see any user information it can only  
>> offer the standard certificate of that server but my sending proxy  
>> knows which certificate to use (because it knows the domain of the  
>> caller) when initiating the TLS.
>>
>> So the real questions is how can we make the proxy to select a 
>> custom  certificate when dialing out?
>>
>> Cesc, do you have a better insight on this?
>>
>> Regards,
>> Adrian
>>
>> On Sep 27, 2005, at 2:54 PM, Klaus Darilion wrote:
>>
>>
>>> Adrian Georgescu wrote:
>>>
>>>
>>>> Hi everybody,
>>>> I am personally very interested in developing security related   
>>>> features for OpenSER. I plan to move to OpenSER in November, we  
>>>> are  still running 8.14 in production, and enable TLS for inter- 
>>>> domain  routing right away.
>>>> I think all of us have a SIP server that can be used to create a  
>>>> mesh  for TLS enabled domains so that we can get some real  
>>>> experiences and  produce a best practices document based on it.
>>>> My requirements at this initial stage are:
>>>> 1. Investigate how TLS can be used in a multi-domain environment
>>>>
>>>
>>> Is this possible at all? A workaround would be a dedicated IP  
>>> address for domain and a dedicated openser process for each IP  
>>> address with the corresponding certificate.
>>>
>>> klaus
>>>
>>>> 2. As TLS is on a hop by hop basis I would like to have proper  
>>>> DNS  lookups  to change the transport based on destination domain
>>>> I see a major impact on performance by using TLS to the UA side   
>>>> because of the use of TCP and the certificate negotiation, I am   
>>>> wondering what we will bump into once we start using TLS.
>>>> Regards,
>>>> Adrian
>>>
>>
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>>
>
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>