[Users] TLS SIP domains
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Mar 27 11:25:42 CEST 2006
Joao Pereira wrote:
> Hello
>
> >If you want to use TLS to authenticate servers, then the verifying
> server must import the root CA which signed the peer's certificate.
>
> Ok, but if you call me, where is my server going to download the
> certificate that signed your server ? From a central Certification
> Authority?
You have to download the CA certificate from the CA.
Then during handshake the peer proxy provides the certificate (signed by
the CA). This certificate will be verified using the previously
downloaded CA cert.
regards
klaus
>
> One other thing: does OpenSER supports 1024 bits certificates? or just
> 512 bits?
>
> Thanks
> Joao Pereira
>
>
>
>
> Klaus Darilion wrote:
>
>> Joao Pereira wrote:
>>
>>> Hello
>>> I m trying to implement an OpenSER with TLS, and I think the idea is
>>> very good and very well explained in the manual (
>>> http://openser.org/docs/tls.html#AEN50 ).
>>>
>>> But can the OpenSER servers negotiate the certificates in real time?
>>
>>
>> Not sure what you mean. The configuration is static and read once
>> during startup. Thus, changing the TLS configuration (add CA certs,
>> ...) requires a reboot of openser.
>>
>> > Can this trusting scheme be dynamic?
>> > or every server needs to have a list of
>>
>>> domains?
>>>
>>> The list of domains is supposed to be centralized, like a rootCA?
>>> Then all our SIP servers must use the same rootCA?
>>
>>
>> If you want to use TLS to authenticate servers, then the verifying
>> server must import the root CA which signed the peer's certificate.
>>
>> regards
>> klaus
>
>
More information about the sr-users
mailing list