[Users] tls_require_certificate

Alexander Ph. Lintenhofer lintenhofer at aon.at
Sat Oct 8 22:56:14 CEST 2005


Hi there,

I have a question concerning TLS in openser:

By switching tls_require_certificate to "on", the peer is forced to send 
his certificate for means of mutual authentication.

My problem is, that the peer may be another proxy server whom I want to 
authenticate with its cert - but the peer might also be an user agent. 
In my situation I use a Snom 360 which has not the possibility to import 
an own user-certificate (only a CA-cert for verifying server-certs).

 -----------                         ----------                     
---------               
| snom 360  | <------  TLS -------> | outbound | <----- TLS -----> | 
inbound |
 -----------   server sends cert     ----------     mutual AUTH     
---------


But when I activate tls_require_certificate=on in the openser.cfg of the 
outbound proxy, the snom360 can't register, because it has no user-cert. 
On the other hand, when I disable tls_require_certificate, the snom can 
register, but the security between the proxies is weak.

Is there an appropriate solution for this problem ?? Maybe I didn't 
understand the sample configuration at all....

Thanks in advance and regards,

Philipp





More information about the sr-users mailing list