6 jul 2011 kl. 16.26 skrev Brez Borland:
> Hi Olle, please see below..
>
> On Wed, Jul 6, 2011 at 3:15 PM, Olle E. Johansson <o...@edvina.net> wrote:
>
> 6 jul 2011 kl. 16.01 skrev Iñaki Baz Castillo:
>
> > 2011/7/6 Olle E. Johansson <o...@edvina.net>:
> >> Now, consider that a UA has configured a proxy as an outbound proxy. The
> >> connection between them is out of scope for now.
> >>
> >> The UA issues a call to SIPS:al...@georgia.example.com
> >> The proxy does NAPTR/SRV resolution and comes up with a server that
> >> presents a certificate
> >>
> >> A) that is expired
> >> B) that is showing "evilstate.example.com" as the domain
> >
> > As a sidenote: a TLS certificate can contain various SIP domains by
> > using the AltSubject field.
> >
> >
> >> C) that is valid
> >>
> >> Now, in the case of C, the proxy adds a via header with
> >> "sips:192.168.40.20" and forwards the message to the next proxy, which
> >> forwards to a UA. On return, the proxy tries to set up a secure connection
> >> for the response to 192.168.40.20, but fails since the certificate is
> >> valid for "alabama.example.com" only.
> >>
> >> D) What is the valid action? Drop the response?
> >
> > Good question. However, checking a server certificate (matching the
> > domain) just makes sense (IMHO) for requests. This is, an UAC sends a
> > request to a proxy/server (depending Route or RURI). The proxy/server
> > presents a TLS certificate including N certified domains. The UAC
> > match the request destination domain against the domains in the
> > certificate.
> >
> > But in case of a response I see no way to apply the same. Which is the
> > destination of a SIP response? it must only be routed according to
> > section XX.XX (sorry, no time now) of RFC 3261, this is, typically
> > using the same connection if it's TCP/TLS or inspecting the Via
> > sent-by/received/rport in case of UDP. So I don't fully understand
> > when you say "the proxy tries to set up a secure connection for the
> > response to 192.168.40.20".
>
> Unless the proxy receiving the request requested a client certificate it can
> NOT reuse the connection for the response here if the Via has a SIPS: uri. It
> needs to validate the SIPS session and get the server certificate for the
> response... The UA can and should send the response trying to reuse the same
> connection though. THat's why I used two proxys in this example.
>
>
>
> What about rfc5923, SIP Connection Reuse? The mechanism specified there
> allows to reuse the connection, using it for requests and responses. Have a
> look at Section 9.2 in that document, see if you can find it relevant to this.
"
A TLS server conformant to this specification MUST ask for a client
certificate; if the client possesses a certificate, it will be
presented to the server for mutual authentication, and authentication
proceeds as described in Section 7.4 ("Server behavior") of RFC 5922
If the client does not present a certificate, the server MUST proceed
as if the "alias" header field parameter was not present in the
topmost Via header. In this case, the server MUST NOT update the
alias table."
It's the same as what I said, but according to this spec it's a MUST to require
a client certificate.
THanks for alerting me of this RFC and it's involvement in SIP/TLS.
/O
_______________________________________________
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
