[Devel] TLS ideas

Klaus Darilion klaus.mailinglists at pernau.at
Wed Mar 29 11:54:35 CEST 2006 

Daniel-Constantin Mierla wrote:
> Hello,
> 
> On 03/27/06 18:01, Klaus Darilion wrote:
>> Hi!
>>
>> I think one big thing missing in TLS module is outgoing TLS client 
>> domains (having multiple SSL contexts an choose one of these when 
>> creating a new outgoing TLS connection). I think this can be easily 
>> added (maybe reuse some parts of ser's new TLS code). The problem is, 
>> currently the TLS domain is chosen based on the remote IP address.
>>
>> IMO it would be necessary to choose the TLS domain based on some other 
>> identifier to (e.g. an AVP, or the domain in the request URI ...). 
>> Otherwise configuration of outgoing TLS domains wont work in 
>> plug'n'play style.
>>
>> For this,it would be necessary to signal the identifier from the tm 
>> module to the tls module. Thus, the TLS module can select the proper 
>> SSL context for creating a new TLS connection (or reuse an existing 
>> connection)
> as I understand, you need to access the domain part of destination URI. 
> This is either dst-uri, r-uri or the parameter of the relay functions. 
> First two are easy to access via pseudo-variables, the last one we have 
> to think about since it is kept in as a compiled structure after fixup 
> function.

Don't know if I understand you correct. What I want is to pass some data 
to tls_tcpconn_init() in tls_server.c. Thus, it should be possible to 
choose the proper client TLS domain depending on this data.

Currently server TLS domain selection is done based on the incoming 
socket, which can be easily retrieved from the connection structure ( 
c->rcv.dst_ip ...)

I want to add TLS client domain selection not based on socket info but 
based on a string identifier (either stored in an AVP or using the 
request URI domain). Thus, is it possible to retrieve the AVPs of the 
transaction which caused the new TCP/TLS connection setup?

Hope I could explain what I want.
regards
klaus

> 
> Cheers,
> Daniel
> 
>>
>> I reviewed the code to implement it but get lost in SEND_BUFFER and 
>> struct cell *t. Can you please give me some hints how this can be done?
>>
>> thanks
>> klaus
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>

More information about the Devel mailing list