[Users] tls_require_certificate

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Oct 10 20:23:42 CEST 2005 

Hi Cesc,

Cesc wrote:

> See inline ...
>
> On 10/9/05, *Alexander Ph. Lintenhofer* <lintenhofer at aon.at 
> <mailto:lintenhofer at aon.at>> wrote:
>
>     Hello Cesc,
>
>     Thanks for your answer!
>     >If you want just one setup, then you are forced to use the "less
>     secure" setup so that your UAs can support it.
>     I think this is not a sufficient solution. Maybe it's possible to
>     make
>     black- or whitelists for authentication rules in future developments
>     (just an quick'n'dirty idea).
>
>
> Do you mean something like:
> if connecting ip:port is in white list, apply a less restrictive tls 
> authentication (do not require peer cert)
> if connectin ip:port is not in white list or in black list, demand a 
> stronger auth
> Is that it?
> Note that you can only do this lists based on ip:port, as TLS setup is 
> previous to any sip exchange.
>
> What i really think it could work is to create a function (probably in 
> a tls_utils module), which may allow to perform the extra verification 
> that you could not when tls setup.
> I mean, you setup all tls asking for a certificate from the other 
> peer, but do not require that it sends it. Then, from within the 
> config file, you could use a special function and force ser to perform 
> the extra verification on the tls (equivalent to tls_require_cert=1)

I think this would be a good work around and not difficult to add. It's 
something like Klaus suggested in later email

>  
> Just a thought ...
>
>     With NAPTR-lookup support, the t_relay_to_tls("specific
>     domain","specific port") function could also be serviced by
>     t_relay(),
>     or am I wrong?
>
>
> Indeed, it should work. I don't know if ser uses the lookups correctly ...
> t_relay should already work if your endpoint registered the contact 
> over tls (transport=tls).
> For inter-proxy, either you rely on naptr or use the t_relay_to_tls.

the problem with t_relay_to_xxx is that it needs a port to be specify. 
And if port is specify, no SRV lookup is perform (according to RFC). 
Once we will have the NAPTR lookup, I'm thinking to redesign the 
function interface of al this t_relay...... function to be more flexible 
and easy to remember :-/.

right now, you cannot do (in a nice way), a relay to another proxy via 
TLS by using SRV.
If you do t_relay_to_tls() -> adios SRV :(

The only solution I found was to use the DST_URI to force TLS without 
any port specifications:
       avp_write("sip:proxy.com;transport=tls","i:11");
       avp_pushto("$duri","i:11");
       t_relay();

it should also work with :
       avp_write("sips:proxy.com","i:11");
but never tried.

regards,
bogdan

More information about the sr-users mailing list