On Wed, Jul 6, 2011 at 4:13 PM, Iñaki Baz Castillo <i...@aliax.net> wrote:
> 2011/7/6 Olle E. Johansson <o...@edvina.net>: > >> Good question. However, checking a server certificate (matching the > >> domain) just makes sense (IMHO) for requests. This is, an UAC sends a > >> request to a proxy/server (depending Route or RURI). The proxy/server > >> presents a TLS certificate including N certified domains. The UAC > >> match the request destination domain against the domains in the > >> certificate. > >> > >> But in case of a response I see no way to apply the same. Which is the > >> destination of a SIP response? it must only be routed according to > >> section XX.XX (sorry, no time now) of RFC 3261, this is, typically > >> using the same connection if it's TCP/TLS or inspecting the Via > >> sent-by/received/rport in case of UDP. So I don't fully understand > >> when you say "the proxy tries to set up a secure connection for the > >> response to 192.168.40.20". > > > > Unless the proxy receiving the request requested a client certificate it > can NOT reuse the connection for the response here if the Via has a SIPS: > uri. It needs to validate the SIPS session and get the server certificate > for the response... The UA can and should send the response trying to reuse > the same connection though. THat's why I used two proxys in this example. > > Maybe I cannot understand what you mean, but I think you are mixing > sending requests (in-dialog) and sending responses. Correct me if I'm > wrong: > > - Proxy A opens a TLS connection with Proxy B and validates the > certificate sent by Proxy B. > - But Proxy A does not present a certificate to Proxy B. > - Proxy B anyhow accepts the request and gets a reponse from downstream. > - Proxy B *can*^send the response to Proxy A reusing the existing TLS > connection even if there is no certificate from Proxy A. > > Am I wrong? > This is a proper scenario, you're right. > > In case of in-dialog requests sent to Proxy B to Proxy A, then we get > into RFC 5923 "SIP Connection Reuse" (;alias parameter in Via header, > TLS required, client and server certificate required...). > > > > -- > Iñaki Baz Castillo > <i...@aliax.net> > > _______________________________________________ > Sip-implementors mailing list > Sip-implementors@lists.cs.columbia.edu > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
