[Users] CRL in OpenSER
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Apr 12 15:21:32 CEST 2006
Christoph Fürstaller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Is there a possibility to check a client certificate against a CRL? Is
> this allready implemented or are there planes to do such?
It is not implemented in openser. I have no plans, but it is easy to do:
There are certain openSSL functions to load the CRL list. You only have
to add a configuration parameter for the location of the CRL, and then
during initiation of the TLS domains load the CRL.
> Is it a good idea to use client certs? Or is the effort to realice that
> to much? Cause the benefits from authenticating a client only for the
> TLS connection isn't that much. And authentication against a DB is done
> later on in OpenSER as well. (authentication is done twice)
When using SIP digest authentication to authenticate, IMO there is no
need to require a certificate from the SIP client.
regards
klaus
>
> What do you think?
>
> chris...
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFEPPHbR0exH8dhr/YRAncQAJ9IEd6eO4cxgeoIna39VwAKnCoz9QCeNEtr
> AjCFWx/cTjDcUBBe+EvBQFs=
> =fZHN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
More information about the sr-users
mailing list