[Users] [Fwd: [Sip-implementors] TLS certificate question]

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 6 16:01:38 CEST 2005 

Hi!

I asked a question on the sip-implementors list. As nobody answered I 
post it here again, as it is also related to ser/openser.

thanks
klaus

-------- Original Message --------
Subject: [Sip-implementors] TLS certificate question
Date: Wed, 05 Oct 2005 09:10:05 +0200
From: Klaus Darilion <klaus.mailinglists at pernau.at>
To: SIP Implementors <sip-implementors at cs.columbia.edu>

Hi!

I'm trying to figure out how to make a certificate for a SIP proxy.
RFC3262, section 4.1 states:

    For NAPTR records with SIPS protocol fields, (if the server is using
    a site certificate), the domain name in the query and the domain name
    in the replacement field MUST both be valid based on the site
    certificate handed out by the server in the TLS exchange.  Similarly,
    the domain name in the SRV query and the domain name in the target in
    the SRV record MUST both be valid based on the same site certificate.
    Otherwise, an attacker could modify the DNS records to contain
    replacement values in a different domain, and the client could not
    validate that this was the desired behavior or the result of an
    attack.

I'm not sure what the phrase "...MUST both be valid based on the site
certificate" means. Does it mean that all possible domains must be
present in the certificate?

now imagine the follwing DNS lookups: sip:user at example.com
  ;          order pref flags service      regexp  replacement
       IN NAPTR 50   50  "s"  "SIPS+D2T"     ""  _sips._tcp.example.com.
       IN NAPTR 90   50  "s"  "SIP+D2T"      ""  _sip._tcp.example.com
       IN NAPTR 100  50  "s"  "SIP+D2U"      ""  _sip._udp.example.com.

_sips._tcp.example.com.  That lookup would return:
    ;;          Priority Weight Port   Target
        IN SRV  0        1      5061   server1.example.com
        IN SRV  0        2      5061   server2.example.com
_sip._tcp.example.com.  That lookup would return:
    ;;          Priority Weight Port   Target
        IN SRV  0        1      5060   server1.example.com
        IN SRV  0        2      5060   server2.example.com
_sip._udp.example.com.  That lookup would return:
    ;;          Priority Weight Port   Target
        IN SRV  0        1      5060   server1.example.com
        IN SRV  0        2      5060   server2.example.com

Finally, a TLS connection is made with server1.example.com.

IF I understand RFC3263 correct, all of the above domains must be
present in the certificate, but how to do this?

1. Should I put CN=example.com into the Subject and all other domains
into the Subject Alternative Name?
DNS=_sips._tcp.example.com.
DNS=_sip._tcp.example.com
DNS=_sip._udp.example.com.
DNS=server1.example.com
DNS=server2.example.com

2. Should I leave the Subject empty and put all domains into the Subject
Alternative Name?

3. Why is it not sufficient to use only the domain "example.com" in the
certificate (putting it into the subject field)?

4. Which SIP URIs should be used to check against the domains in the
certificate (mutual proxy-proxy scenario)? Is it correct to check the
domain in the request URI against the certificate of the receiving
proxy, and check the domain in the From: URI against the certificate of
the originating proxy?

Thanks for any clarifications
Klaus
_______________________________________________
Sip-implementors mailing list
Sip-implementors at cs.columbia.edu
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

More information about the Users mailing list