[sr-dev] TLS docs
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Oct 15 02:05:11 CEST 2009
Jan Janak wrote:
> Klaus,
>
> On Tue, Oct 13, 2009 at 2:19 PM, Klaus Darilion
> <klaus.mailinglists at pernau.at> wrote:
>>> [...]
>>> Is this still valid - that we only configure tls on IP?
>> "name based" TLS "domains" were supported in Kamailio core, based on an AVP
>> set in script.
>
> But this only works for newly established connections, right? When a
> connection is already established (possibly with a different SSL
> context or when it is initiated from the other side), the code won't
> change the SSL context. Do I get it right?
Hi Jan!
I can't remember anymore how I implemented it. IIRC, if the the
"TLS_AVP" was set, the TLS "client" did not tried a matching "TLS
domain" based on IP:port, but on the string in the AVP.
This could be used for example, to use a certain client certificate and
CA-file depending on the called domain, regardless of the destination
IP:port.
Yes, this worked only for outgoing connections. For incoming
connections, I think the server_name extension can help a bit, but even
better would be support for "trusted_ca_keys".
Regarding existing connections - I do not know, I can't remember anymore.
regards
klaus
More information about the sr-dev
mailing list