[Devel] [ openser-Patches-1464264 ] support for TLS client domains
(name based and socket based)
SourceForge.net
noreply at sourceforge.net
Wed Apr 26 20:27:33 CEST 2006
Patches item #1464264, was opened at 2006-04-04 16:47
Message generated for change (Comment added) made by klaus_darilion
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1464264&group_id=139143
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: ver devel
>Status: Closed
>Resolution: Out of Date
Priority: 5
Submitted By: Klaus Darilion (klaus_darilion)
Assigned to: Nobody/Anonymous (nobody)
Summary: support for TLS client domains (name based and socket based)
Initial Comment:
_________________________________________________________
1.6.12. tls_client_domain_avp=number
This sets the interger AVP used for name based TLS
server
domains (please see tls_client_domain for more details).
Setting the value to 0 disables name based TLS
client domains.
It's usable only if TLS support was compiled.
Default value is 0.
Example 1-12. Set tls_client_domain_avp variable
...
tls_client_domain_avp=400 # only integer named AVPs
are supported
...
_________________________________________________________
If you only run one domain, the main one is enough.
If you are
running several TLS servers (that is, you have more
than one
listen=tls:ip:port entry in the config file), you
can specify
some parameters for each of them separately (not all the
above).
The wording 'TLS domain' means that this TLS
connection will
have different parameters than another TLS
connection (from
another TLS domain). Thus, TLS domains must are not
directly
related to different SIP domains, although they are
often used
in common. Depending on the direction of the TLS
handshake, a
TLS domain is called 'client domain' (=outgouing TLS
connection) or 'server domain' (= incoming TLS
connection).
For example, TLS domains can be used in virtual hosting
scenarios with TLS. OpenSER offers SIP service for
multiple
domains, e.g. atlanta.com and biloxi.com. Altough
both domains
will be hosted a single SIP proxy, the SIP proxy needs 2
certificates: One for atlanta.com and one for
biloxi.com. For
incoming TLS connections, the SIP proxy has to
present the
respective certificate during the TLS handshake. As
the SIP
proxy does not have received a SIP message yet (this
is done
after the TLS handshake), the SIP proxy can not
retrieve the
target domain (which will be usually retrieved from
the domain
in the request URI). Thus, distinction for these
domains must
be done by using multiple sockets. The socket on
which the TLS
connection is received, identifies the respective
domain. Thus
the SIP proxy is able to present the proper certificate.
For outgoing TLS connections, the SIP proxy usually
has to
provide a client certificate. In this scenario,
socket based
distinction is not possible as there is no dedicated
outgoing
socket. Thus, the certificate selection (selection
of the
proper TLS client domain) will be name based. For this
purpose, TLS client domains can be associated with a
name
(e.g. the domain can be used as name). If the SIP proxy
establishes a new outgoing TLS connection, it checks
for the
TLS client domain AVP (parameter
tls_client_domain_avp). If
this AVP is set (e.g. in OpenSER.cfg), OpenSER
searches for a
TLS client domain with the same name and uses the
certificates
defined in the respective tls_client_domain section.
TLS client domains can also be socket based. If name
based
domains are disabled or no name based AVP is found,
OpenSER
searches for socket based TLS client domains. In
this case the
mapping between to the TLS client domain is done
based on the
destination socket of the underlying outgoing TCP
connection.
Note: If there is already an existing TLS connection
to the
remote target, it will be reused wether the TLS
client domain
AVP matches or not.
...
listen=tls:IP_2:port2
listen=tls:IP_3:port4
...
# set the TLS client domain AVP
tls_client_domain_avp = 400
...
# socket based TLS server domains (for virtual SIPS
hosting)
tls_server_domain[IP_2:port2] {
#specify parameters for a domain in particular,
otherwise,
#it will use the default. These are the possible
parameters to
#change for each domain
tls_certificate = "/certs/atlanta.com/cert.pem"
tls_private_key = "/certs/atlanta.com/privkey.pem"
tls_ca_list = "/certs/wellknownCAs"
tls_method=tlsv1
}
tls_server_domain[IP_3:port3] {
tls_certificate = "/certs/biloxy.com/cert.pem"
tls_private_key = "/certs/biloxy.com/privkey.pem"
tls_ca_list = "/certs/wellknownCAs"
tls_method=tlsv1
}
# name based TLS client domains (for virtual SIPS hosting)
tls_client_domain["atlanta.com"] {
tls_certificate = "/certs/atlanta.com/cert.pem"
tls_private_key = "/certs/atlanta.com/privkey.pem"
tls_ca_list = "/certs/wellknownCAs"
tls_method=tlsv1
}
tls_client_domain["biloxi.com"] {
tls_certificate = "/certs/biloxy.com/cert.pem"
tls_private_key = "/certs/biloxy.com/privkey.pem"
tls_ca_list = "/certs/wellknownCAs"
tls_method=tlsv1
}
# socket based TLS server domains (for TLS based
downstream from GW pro
vider)
tls_client_domain[IP_5:port5] {
tls_certificate = "/certs/local/cert.pem"
tls_private_key = "/certs/local/privkey.pem"
tls_ca_list = "/certs/GWproviderSelfSignedCA"
tls_method=tlsv1
}
# socket based TLS client domains (for TLS based
upstream to GW provide
r)
# GW IP: 1.2.3.4, GW port: 6677
tls_client_domain[1.2.3.4:6677] {
tls_certificate = "/certs/local/cert.pem"
tls_private_key = "/certs/local/privkey.pem"
tls_ca_list = "/certs/GWproviderSelfSignedCA"
tls_method=tlsv1
}
...
route{
...
# calls to other SIP domains
# set the proper SSL context (certificate) for
local hosted domains
avp_write("$fd","$avp(i:400)");
t_relay(); # uses NAPTR and SRV lookups
exit;
...
# calls to the PSTN GW
t_relay("tls:1.2.3.4:6677");
exit;
...
_________________________________________________________
----------------------------------------------------------------------
>Comment By: Klaus Darilion (klaus_darilion)
Date: 2006-04-26 20:27
Message:
Logged In: YES
user_id=1318360
a new patch is on the way ...
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1464264&group_id=139143
More information about the Devel
mailing list