[Serusers] [Fwd: [Sip-implementors] TLS certificate question]
Nils Ohlmeier
lists at ohlmeier.org
Mon Oct 10 23:26:19 CEST 2005
On Monday 10 October 2005 19:54, Klaus Darilion wrote:
> > As it is now, the current tls code does not really allow for
> > flexibility, i would say. How about creating some kind of module that
> > would allow in-depth access to tls functions, such as
> > - tls_verify_peer_cert()
> > - tls_check_from()
> > - tls_check_to()
>
> I agree. We will need this functions. We should also document what the
> current implementation is validating (when authenticating a server
> certificate: which domain is checked against which part of the
> certificate?) ...
Just a note: your are thinking/discussing here about the connection layer. But
when the script is processed the connection is already established.
So the only thing which you can do in the script is verifying the client
certificate. As the connection is already established you can only reject the
request on the SIP layer. And client certificates usually work only in
proxy-toproxy scenarios, but not for typical UA's.
Server certificate verification can only be handled by a global policy.
Nils
More information about the sr-users
mailing list