[Users] tls_require_certificate

Cesc cesc.santa at gmail.com
Sun Oct 9 19:03:34 CEST 2005


See inline ...

On 10/9/05, Alexander Ph. Lintenhofer <lintenhofer at aon.at> wrote:
>
> Hello Cesc,
>
> Thanks for your answer!
> >If you want just one setup, then you are forced to use the "less
> secure" setup so that your UAs can support it.
> I think this is not a sufficient solution. Maybe it's possible to make
> black- or whitelists for authentication rules in future developments
> (just an quick'n'dirty idea).


Do you mean something like:
if connecting ip:port is in white list, apply a less restrictive tls
authentication (do not require peer cert)
if connectin ip:port is not in white list or in black list, demand a
stronger auth
Is that it?
Note that you can only do this lists based on ip:port, as TLS setup is
previous to any sip exchange.

What i really think it could work is to create a function (probably in a
tls_utils module), which may allow to perform the extra verification that
you could not when tls setup.
I mean, you setup all tls asking for a certificate from the other peer, but
do not require that it sends it. Then, from within the config file, you
could use a special function and force ser to perform the extra verification
on the tls (equivalent to tls_require_cert=1)

Just a thought ...

With NAPTR-lookup support, the t_relay_to_tls("specific
> domain","specific port") function could also be serviced by t_relay(),
> or am I wrong?


Indeed, it should work. I don't know if ser uses the lookups correctly ...
t_relay should already work if your endpoint registered the contact over tls
(transport=tls).
For inter-proxy, either you rely on naptr or use the t_relay_to_tls.

Regards,

Cesc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20051009/a156c7b7/attachment.htm>


More information about the sr-users mailing list