[Devel] TLS ideas

Daniel-Constantin Mierla daniel at voice-system.ro
Thu Mar 30 17:00:38 CEST 2006 

On 03/29/06 12:54, Klaus Darilion wrote:
> Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> On 03/27/06 18:01, Klaus Darilion wrote:
>>> Hi!
>>>
>>> I think one big thing missing in TLS module is outgoing TLS client 
>>> domains (having multiple SSL contexts an choose one of these when 
>>> creating a new outgoing TLS connection). I think this can be easily 
>>> added (maybe reuse some parts of ser's new TLS code). The problem 
>>> is, currently the TLS domain is chosen based on the remote IP address.
>>>
>>> IMO it would be necessary to choose the TLS domain based on some 
>>> other identifier to (e.g. an AVP, or the domain in the request URI 
>>> ...). Otherwise configuration of outgoing TLS domains wont work in 
>>> plug'n'play style.
>>>
>>> For this,it would be necessary to signal the identifier from the tm 
>>> module to the tls module. Thus, the TLS module can select the proper 
>>> SSL context for creating a new TLS connection (or reuse an existing 
>>> connection)
>> as I understand, you need to access the domain part of destination 
>> URI. This is either dst-uri, r-uri or the parameter of the relay 
>> functions. First two are easy to access via pseudo-variables, the 
>> last one we have to think about since it is kept in as a compiled 
>> structure after fixup function.
>
> Don't know if I understand you correct. What I want is to pass some 
> data to tls_tcpconn_init() in tls_server.c. Thus, it should be 
> possible to choose the proper client TLS domain depending on this data.
>
> Currently server TLS domain selection is done based on the incoming 
> socket, which can be easily retrieved from the connection structure ( 
> c->rcv.dst_ip ...)
>
> I want to add TLS client domain selection not based on socket info but 
> based on a string identifier (either stored in an AVP or using the 
> request URI domain). Thus, is it possible to retrieve the AVPs of the 
> transaction which caused the new TCP/TLS connection setup?
Yes, you can access the AVPs from anywhere, they are stored in openser 
core and it should be the same process which cased the new TCP/TLS 
connection setup.

Cheers,
Daniel

>
> Hope I could explain what I want.
> regards
> klaus
>
>>
>> Cheers,
>> Daniel
>>
>>>
>>> I reviewed the code to implement it but get lost in SEND_BUFFER and 
>>> struct cell *t. Can you please give me some hints how this can be done?
>>>
>>> thanks
>>> klaus
>>>
>>> _______________________________________________
>>> Devel mailing list
>>> Devel at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>>
>
>

More information about the Devel mailing list