[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] TLS post connection verification

To: sip@ietf.org
Subject: Re: [Sip] TLS post connection verification
From: "James Ford" <james_s_ford@hotmail.com>
Date: Mon, 24 Mar 2003 12:51:48 +0000
Cc: eronstein@hotmail.com
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=unsubscribe>
Sender: sip-admin@ietf.org

Hi Eron,
The standard does not elaborate on that, but here is what I think:

For the second question: for sending responses on broken connections, I don't think that there is a need to do post connection assertion. for two reasons:
a - The server does not need to authenticate the client.
b - allot of applications put their specific IP address on the via field while a certificate is more likely issued to an FQDN.

The first question is more tricky. My guess is the "incoming" connection should only check for the correctness of the certificate and not do a post connection assertion. This might be a security issue though. Maybe someone with some hands on experience can would be more helpful here.

Regards,
James S. Ford

Hi,

When sending a request (ie REGISTER) to a server I can compare the request
URI to the common name (or the alt dns name) in the certificate. If the
names match, I can conclude that the certificate is OK.
(I'm using OpenSSL, and they recommend this post connection assertion).

I have two questions thou:

1 - What name should I use for comparison when accepting a connection?
Usually only the UAC will demand certificate, I am concerned with te case of

two proxies trying to connect using TLS and the UAS proxy asking for client
certificates. (what uri will the UAS proxy has, there is no message yet).

2 - how should broken connection be handled? lets say UAC1 sent a request
over TLS to UAS1. the handshake went well and the request sent. than for
some reason, the connection was broken and UAS1 now needs to reestablish the

connection. What should UAS1 do? use TLS w/out certificates?

Regards,
Eron Stein

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail

_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] TLS post connection verification
  - From: Amit Bhadoria

Prev by Date: [Sip] SIP MIB implementations?
Next by Date: Re: [Sip] SIP MIB implementations?
Previous by thread: Re: [Sip] TLS post connection verification
Next by thread: Re: [Sip] TLS post connection verification
Index(es):
- Date
- Thread