[Serusers] [Fwd: [Sip-implementors] TLS certificate question]
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Oct 10 19:54:44 CEST 2005
Hi!
Thanks for your comments!
I just wanted you to know that I'm still working on my answer (reading
RFC, list archives ...). Thus, no answer yet ;-)
Cesc wrote:
> Hi all,
>
> Interesting discussion :)
>
...
> As it is now, the current tls code does not really allow for
> flexibility, i would say. How about creating some kind of module that
> would allow in-depth access to tls functions, such as
> - tls_verify_peer_cert()
> - tls_check_from()
> - tls_check_to()
I agree. We will need this functions. We should also document what the
current implementation is validating (when authenticating a server
certificate: which domain is checked against which part of the
certificate?) ...
regards
klaus
> .....
> This way a barebones connection may be accepted on the tls level (say,
> just server authentication). Then, in the config file you may be able to
> stiffen the authentication requirements with a bunch of functionalities
> provided by a tls_tools module.
>
> Regards,
>
> Cesc
>
>
>
>
>
>
More information about the sr-users
mailing list