[Devel] TLS question
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Jan 25 17:59:26 CET 2006
Hi!
Currently, verify_tls=1 will be used for both validating clients
(incoming TLS connections) and serves (outgoing TLS connections).
I want to split this having verify_tls_client and verify_tls_server to
for example require client authentication for incoming TLS sessions, but
allow outgoing TLS connections with certificate validation. I think this
is easily doable by using 2 different SSL_CTX structures: one for
outgoing TLS connections and one for incoming TLS connections.
But this raises another problem: an outgoing TLS connection can then be
re-used by the other peer to inject SIP messages. But I do want allow
incoming SIP requests only from authenticated peers. Thus, is it
possible to mark a TLS connections as verified (if the peer was
verified)? Then I want to retrieve this information in the routing
script, e.g.
if (proto==tls) {
if (has_totag()) {
## allow incoming in-dialog requests on outgoing TLS connections
...
break;
}
if (tls_peer_verfied == 1) {
# allow incoming SIP requests from verfied peer
...
} else {
# do not allow incoming out-of-dialog requests from
# unverified peers
sl_send_reply("403","create new TLSconn for client authentication");
break;
}
Thus, like having the proto or src_ip available in the routing logic, I
also want to have the verification status available. Can someone give me
sone hints how/where to implement this?
thanks
klaus
More information about the Devel
mailing list