[Users] TLS - certificate infrastructure
Cesc
cesc.santa at gmail.com
Thu Oct 6 01:42:14 CEST 2005
Hi,
All the structures you presented are valid and will work with openser
(openSSL in general).
The internal validation of the exchanged certs against the trusted roots can
be of several layers
(i think it is limited in openser's tls implementation, but for sure you can
have at least 5 levels).
Just add the CA's public key to the trusted certs file and voila! Note that
for option C you don't need
to add the root cert, just the two CA's certs.
See that the UA needs only the cert from its local proxy ... TLS is
hop-by-hop, so it doesn't care about
the remote proxy.
The simplest and easiest (if it is for testing purposes i mean) to implement
is option A, though if the
domains are separated/independant you most probably want something like
option C (each CA
generates certs for its local users, no need to "buy" a cert for each user
from a "real"
Certificate Authority, which cost money :D)
By the way ... the self-signed cert ... it will definitely work. That is the
main point of open stuff, right?
Regards,
Cesc
On 10/5/05, Alexander Ph. Lintenhofer <lintenhofer at aon.at> wrote:
>
> Hi everybody,
>
> I want to test openser 0.10.x and its TLS capabilities. Therefore I plan
> to install two proxies, sip.atlanta.com <http://sip.atlanta.com> and
> sip.biloxi.com <http://sip.biloxi.com>. Two users,
> alice at atlanta.com and sip.biloxi.com <http://sip.biloxi.com>, should
> communicate over the two
> proxies secured by TLS. The UAs are snom360 phones.
>
> ------------------- -----------------
> ----------------- -----------------
> | alice at atlanta.com | <-------> | sip.atlanta.com <http://sip.atlanta.com>| <-------> |
> sip.biloxi.com <http://sip.biloxi.com> | <-------> | bob at biloxi.com |
> ------------------- -----------------
> ----------------- -----------------
>
> Mutual authentication should take place between the UAC and the outbound
> proxy, the two proxies and between the inbound proxy and the UAS.
> The problem is that I am not sure about the organisation of the
> certificate's infrastructure. I don't know which would be the best
> solution to implement.
> So please look at my suggestions and feel free to you make your comments.
>
> 1.. user certificate for alice at atlanta.com
> 2.. server certificate for sip.atlanta.com <http://sip.atlanta.com>
> 3.. server certificate for sip.biloxi.com <http://sip.biloxi.com>
> 4.. user certificate for bob.biloxi.com <http://bob.biloxi.com>
> The root certificate is self signed (Does this work with openser?)
>
>
> a.) One common CA (=root) signs all components.
>
> -----------
> | CA |
> -----------
> / / \ \
> / / \ \
> / | | \
> --- --- --- ---
> |1| |2| |3| |4|
> --- --- --- ---
>
> b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual
> import of the other domains root certificate takes place.
>
> ----- -----
> |CA A | |CA B |
> ----- -----
> / \ / \
> --- --- --- ---
> |1| |2| |3| |4|
> --- --- --- ---
>
> c.) One common root signs two CAs which sign their proxy and UA.
>
> -----------
> | root-cert |
> -----------
> / \
> / \
> ----- -----
> |CA A | |CA B |
> ----- -----
> / \ / \
> --- --- --- ---
> |1| |2| |3| |4|
> --- --- --- ---
>
>
> Thank you very much for your help!
>
> regards,
> Philipp
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20051006/f44d57d6/attachment.htm>
More information about the sr-users
mailing list