[Serusers] trusting peers
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Oct 11 16:32:54 CEST 2005
Jan Janak wrote:
> On 11-10-2005 15:46, Klaus Darilion wrote:
>
>>Jan Janak wrote:
>>
>>>On 11-10-2005 14:55, Klaus Darilion wrote:
>>>
>>>
>>>>Hi all!
>>>>
>>>>I want to differ between _incoming_ SIP requests from trusted peers and
>>>
>>>>from untrused (for different call routing). I came to the following
>>>
>>>>solutions. All of them has some disadvantages, and I would like to now
>>>>which you would prefer:
>>>>
>>>>1. src_ip: incoming request are authenticated using the src_ip (only in
>>>>TCP mode useful)
>>>>+: easy to implement
>>>>+: easy to differ authenticated from unauthenticated incoming calls
>>>>-: lots of configuration (IP addresses may change, )
>>>>This can be implemented using if src_ip==... blocks in openser.cfg,
>>>>which would require the change the script everytime the IP addresses are
>>>>changed. Also requires restart of the proxy.
>>>
>>>
>>> You can also use trusted table and permission module.
>>
>>Right! I think this should be documented somewhere :-)
>>
>>Maybe we can adopt the this function to verify the doman of the client
>>certificate?
>
>
> Client certificate ? Why ? Make sure that the client certificate is
> created by a trusted CA (which is known to SER) and once a request
> arrives over TLS then you know that the certificate was valid
> (provided that you enable client certificate verification).
Knowing that the certificate is valid is not enough. Badguy can have a
certificate for badguy.com which is perfectly valid, but this does not
imply that I trust badguy.com. I have to compare the certificate domain
with the domains of trusted peers somehow.
regards
klaus
More information about the sr-users
mailing list