[Devel] Re: TLS and multidomain

[Cesc]

On 9/28/05, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>
> This is also valid for
> > SSL websites, you must use on ip:port combination per common name. So I
> > deduct that a remote server may use only a default cert per ip:port when
> > a session comes.
> >
> > But my SENDING proxy should be able to select the certificate based on
> > the calling user when calling out of my proxy, if a certificate for the
> > @domain part is available.
>
> If you want to allow incoming TLS you need a IP:port for each domain.
> Thus, for outgoing the same IP:port should be used, together with the
> corresponding certificate.
>
> klaus
>
So, what is missing in the current tls code is a way to set outgoing domains
... i think that it is workable ...
A setup would be
- for incoming calls, on port 5060, set a default certificate for all
domains being served.
- For each domain, set up a profile (as currently available), each with its
current certificate, ciphers, configuration, etc ... on an IP:portX ...
then, outgoing traffic should be routed to its appropriate tls-domain (that
is, sent from IP:portX). Of course this IP:port is also available for
incoming traffic though for that specific domain ...
- If you don't want to have so many different ports open for
sending/listening, then this "tool" to select the outgoing tls-profile would
come in handy ...
 Right?
 Cesc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openser.org/pipermail/devel/attachments/20050928/10159a1b/attachment.htm