[Users] openser2openser
Alexander Ph. Lintenhofer
lintenhofer at aon.at
Wed Oct 5 18:37:19 CEST 2005
Hi Klaus,
> Alexander Philipp Lintenhofer wrote:
>
>> Hi Klaus,
>>
>> TLS: Is this feature already tested with version 0.10.x? Is it
>> necessary that
>> both proxies are under the same root-CA or is it possible to define
>> different
>
>
> up to now I did not tested it, I just read the README. If I understand
> it correctly, than you can import as man CA certs as you like.
OK, that is also my state of information. So you import the root
certificates of
all trusted domains with which you want authentification.
>
>> trust anchors by distributing root certificates? Or do I need a
>> cross-path
>> mechanism to deal with this problem?
>
>
> At the moment I'm having problems figuring out how the server
> certificate must look like.
The standard is X509v3.
> e.g. a lookup for sip:klaus at example.net may lead to another domain
> using SRV. Which domain must be in the certificate? Where in the
> certificate (Subject? Subject alternative name? ...)
The SRV-Request yields the resonsible sipserver of example.net.
According to
RFC3261 the subject of the certificate must correspond to the canonical
hostname of this server.
I believe that your outbound proxy exchanges his certificate with the
inbound of
example.net for mutual authentification. So regarding RFC 2246 both need
a way
to validate the other cert. -> ?
regards,
philipp
>
>>
>>> proxy2proxy authentication is usually done by TLS.
>>>
>>> The problem is that both proxies use different nonce to
>>> authenticate. You can try to set the secret on both proxies:
>>> http://openser.org/docs/modules/0.10.x/auth.html#AEN62
>>>
>>> regards
>>> klaus
>>>
>>> Taras Bendik wrote:
>>>
>>>> Situation:
>>>> client1 ----->openser1 ----> openser2 ---->client2
>>>> Both openser have same accounts (user/pass)
>>>>
>>>> When im not using proxy authentification it works ok.
>>>> If i use it it gives me 407
>>>>
>>>> i have tried to use following
>>>> http://www.voice-system.ro/docs/uac/ar01s06.html#ex_auth
>>>>
>>>> and always goes executing this part
>>>> if (isflagset(7)) {
>>>> t_reply("503","Authentication failed");
>>>> break;
>>>> }
>>>>
>>>> I look at ngrep log, and it is some thing like this
>>>> ser1 -> ser2 INVITE
>>>> ser2 -> ser1 AUTH Required
>>>> ser1 -> ser2 INVITE with auth
>>>> ser2 -> ser1 AUTH Required
>>>> ser1 -> ser2 INVITE with auth
>>>> ser2 -> ser1 AUTH Required
>>>> It seems to me that openser1 cannot authentificate on openser2.
>>>>
>>>>
>>>> Thanks in advance
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openser.org
>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>>
>>
>>
>
>
>
-------------- next part --------------
An embedded message was scrubbed...
From: Alexander Philipp Lintenhofer <lintenhofer at aon.at>
Subject: Re: [Users] openser2openser
Date: Wed, 05 Oct 2005 15:22:53 +0200
Size: 3600
Url: http://lists.kamailio.org/pipermail/users/attachments/20051005/cfd48858/attachment.eml
More information about the Users
mailing list