[Users] Re: [Serusers] [Fwd: [Sip-implementors] TLS certificate question]

[Cesc]

Hi all,
 Interesting discussion :)
 On 10/10/05, Greger V. Teigre <greger at teigre.com> wrote:
>
> >From that perspective, you would probably only allow From domains that
> are
> found in the CN and alternative names of the certificate of server A.
>
> I don't think this is a general matter (finding what is "correct"), but
> more
> about the policies you implement (or level of integrity checks you want to
> enforce). Do you allow the certificate of the sender to deviate
> (domain-wise) from the domain of the proxy? If you have multiple proxies
> between you and the sender and you trust the proxy, you probably will
> allow
> it. If you are peering with a proxy and only want to allow that proxy's
> users, you probable disallow it.

 I would agree with greger that the authentication you need depends on the
local policy. For that, ser needs to provide flexible mechanism as i don't
think there is a one-fits-all.
As it is now, the current tls code does not really allow for flexibility, i
would say. How about creating some kind of module that would allow in-depth
access to tls functions, such as
- tls_verify_peer_cert()
- tls_check_from()
- tls_check_to()
.....
This way a barebones connection may be accepted on the tls level (say, just
server authentication). Then, in the config file you may be able to stiffen
the authentication requirements with a bunch of functionalities provided by
a tls_tools module.
 Regards,
 Cesc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/users/attachments/20051010/03165fde/attachment.htm