[Users] CRL in OpenSER

Klaus Darilion klaus.mailinglists at pernau.at
Wed Apr 12 15:21:32 CEST 2006


Christoph Fürstaller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Is there a possibility to check a client certificate against a CRL? Is
> this allready implemented or are there planes to do such?

It is not implemented in openser. I have no plans, but it is easy to do: 
There are certain openSSL functions to load the CRL list. You only have 
to add a configuration parameter for the location of the CRL, and then 
during initiation of the TLS domains load the CRL.

> Is it a good idea to use client certs? Or is the effort to realice that
> to much? Cause the benefits from authenticating a client only for the
> TLS connection isn't that much. And authentication against a DB is done
> later on in OpenSER as well. (authentication is done twice)

When using SIP digest authentication to authenticate, IMO there is no 
need to require a certificate from the SIP client.

regards
klaus

> 
> What do you think?
> 
> chris...
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFEPPHbR0exH8dhr/YRAncQAJ9IEd6eO4cxgeoIna39VwAKnCoz9QCeNEtr
> AjCFWx/cTjDcUBBe+EvBQFs=
> =fZHN
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users





More information about the sr-users mailing list