Juha Heinanen wrote:
Klaus Darilion writes:
> * validate domains in certifiacte with requests domain
> * If I understand correctly, this part is missing in current
> * implementation
what would that check mean? proxy selects next hop proxy my manual
configuration or by srv lookup on host part of request uri. then proxy
can verify server certificate of the next hop proxy. i don't understand
what domains have to do with this.
server verification:
1. the certificate must be valid (signed by a trusted CA)
2. The certificate should reflect the proxy I'm tryin to reach. When
contacting [EMAIL PROTECTED] the proxy should not accept a certificate for
foo.bar.com, but for iptel.org or sip.iptel.org
> Version A:
> 1. Validate the From: domain in the SIP request against the domain
> name in the certificate.
you cannot do this, because domain of certificate has nothing to do with
from domain.
Depends on the certificate. IMO the complete TLS part is crude.
regard
klaus
RFC 3261; 26.3.2.2 Interdomain Requests
[...atlanta calls biloxy...]
The proxy server at biloxi.com SHOULD inspect the certificate of the
proxy server at atlanta.com in turn and compare the domain asserted
by the certificate with the "domainname" portion of the From header
field in the INVITE request. The biloxi proxy MAY have a strict
security policy that requires it to reject requests that do not match
the administrative domain from which they have been proxied.
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
