[OpenSER-Devel] [ openser-Patches-2007478 ] TLS server_name extension

SourceForge.net noreply at sourceforge.net
Tue Jul 1 10:01:51 CEST 2008


Patches item #2007478, was opened at 2008-07-01 07:55
Message generated for change (Comment added) made by nobody
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=2007478&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Klaus Darilion (klaus_darilion)
Assigned to: Nobody/Anonymous (nobody)
Summary: TLS server_name extension

Initial Comment:
Hi!

The attached patch adds the TLS server_name extension to Openser (something for 1.5). In short:

outgoing TLS requests: configure the tls_server_name_avp and set it in the script to the requested domain.

incoming TLS requests: configure like before multiple TLS client domains. But this time, use the same IP:port but specify the domain by using the new "tls_server_name" directive. Then, if the incoming TLS request has a server_name and a matching client domain is found, the SSL_CTX context for the incoming SSL connection will be switched.

Documentation and tlsops module was extended too.

It would be great if someone could review the patch. For configuration of the server_name AVP i still use the old syntax, e.g.:
  tls_server_name_avp=400
Using the new syntax, e.g. tls_server_name_avp=avp{i:400}, would be better, but unfortunately I did not understand how to do this. Maybe someone with more PV experience could change this.

regards
klaus

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2008-07-01 08:01

Message:
Logged In: NO 

Some more comments: To use this feature, Openser needs an openSSL library
with TLS extensions enabled. Recent openSSL version 0.9.8h supports TLS
extensions, but they are not enabled by default. You have to configure
openSSL with "./configure --enable-tlsext" and build it yourself.

PS: If you are using debian, just use openssl package >= 0.9.8g-10.1. 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=2007478&group_id=139143



More information about the Devel mailing list