[Devel] Re: TLS and multidomain

Adrian Georgescu ag at ag-projects.com
Wed Sep 28 12:25:09 CEST 2005 

In a multi-domain environment you would like to use only one ip:port  
and serve multiple domains. Serve means you can do authorization for  
Register messages and you can apply different rules for callers in  
different domains. Is the same like a web server where you can serve  
multiple websites with one  IP alone.

The problem is that if you use SSL you must establish first  
connection and  just after the TLS negotiation takes place you may  
inspect the content of the SIP message to extract the domain. This is  
also valid for SSL websites, you must use on ip:port combination per  
common name. So I deduct that a remote server may use only a default  
cert per ip:port when a session comes.

But my SENDING proxy should be able to select the certificate based  
on the calling user when calling out of my proxy, if a certificate  
for the @domain part is available.

Regards,
Adrian


> 3. I lookup the A record for what I have chosen from the SRV record  
> set
> 4. I make a tcp connect to remote IP:port and start negotiating TLS
>
> What certificate will my own server use? While the destination must
> first setup a connection to see any user information it can only
> offer the standard certificate of that server but my sending proxy
> knows which certificate to use (because it knows the domain of the
> caller) when initiating the TLS.
>
> So the real questions is how can we make the proxy to select a custom
> certificate when dialing out?
>
> Cesc, do you have a better insight on this?
> As it is now, the tls code allows to set up various domains, each  
> with its own config.
> But this domains are linked to IP:port. As you probably do not want  
> to have an IP:port
> tuple per each possible domain you need to dial-out to ... yes,  
> some better feature
> may be needed, which allows to set the "profile" to be changed more  
> on the fly when dialing
> out.
> Note: i have not tested the domains ... but inspecting the code,  
> they seem right. ;)
>
> Let me ask a thing ... when you set up a ser serving multiple  
> domains, do you set one ip:port per
> domain or each domain has its pair (ip:port1, ip:port2, ... )? This  
> is very naive, i know, but I am not into the provider business ...  
> we run a single domain system here :)
>
> Regards,
>
> Cesc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openser.org/pipermail/devel/attachments/20050928/97f93193/attachment.html

More information about the Devel mailing list