[Users] Re: [Serusers] trusting peers
Jan Janak
jan at iptel.org
Tue Oct 11 15:58:52 CEST 2005
On 11-10-2005 15:46, Klaus Darilion wrote:
> Jan Janak wrote:
> >On 11-10-2005 14:55, Klaus Darilion wrote:
> >
> >>Hi all!
> >>
> >>I want to differ between _incoming_ SIP requests from trusted peers and
> >>from untrused (for different call routing). I came to the following
> >>solutions. All of them has some disadvantages, and I would like to now
> >>which you would prefer:
> >>
> >>1. src_ip: incoming request are authenticated using the src_ip (only in
> >>TCP mode useful)
> >>+: easy to implement
> >>+: easy to differ authenticated from unauthenticated incoming calls
> >>-: lots of configuration (IP addresses may change, )
> >>This can be implemented using if src_ip==... blocks in openser.cfg,
> >>which would require the change the script everytime the IP addresses are
> >>changed. Also requires restart of the proxy.
> >
> >
> > You can also use trusted table and permission module.
>
> Right! I think this should be documented somewhere :-)
>
> Maybe we can adopt the this function to verify the doman of the client
> certificate?
Client certificate ? Why ? Make sure that the client certificate is
created by a trusted CA (which is known to SER) and once a request
arrives over TLS then you know that the certificate was valid
(provided that you enable client certificate verification).
Jan.
More information about the sr-users
mailing list