[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] TLS post connection verification

To: "Eron Stein" <eronstein@hotmail.com>, <sip@ietf.org>
Subject: RE: [Sip] TLS post connection verification
From: "Cullen Jennings" <fluffy@cisco.com>
Date: Mon, 24 Mar 2003 21:17:59 -0800
Importance: Normal
In-reply-to: <BAY2-F48zGZuNY1SWoB00013874@hotmail.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=unsubscribe>
Sender: sip-admin@ietf.org

If element A wants to send a SIP message over TLS to a next hop called
foo.com, A needs to check that the SubjectAltName in the certificate
provided over the TLS connection to A matches foo.com. Openssl can not do
this for you automatically, A needs to call the SSL_get_peer_certificate
after A has connected. foo.com may request, and look at, the certificate of
A or may not depending on if mutual TLS is being done or not.

There is very little point in using TLS if you don't check that the server
you connected to is the server you meant to connect to. If all you know is
the IP address of the server and the server presents a certificate with a
FQDN, you are pretty much out of luck.

Cullen


> -----Original Message-----
> From: sip-admin@ietf.org [mailto:sip-admin@ietf.org]On Behalf Of Eron
> Stein
> Sent: Wednesday, March 19, 2003 6:14 AM
> To: sip@ietf.org
> Subject: [Sip] TLS post connection verification
>
>
> Hi,
>
> When sending a request (ie REGISTER) to a server I can compare
> the request
> URI to the common name (or the alt dns name) in the certificate. If the
> names match, I can conclude that the certificate is OK.
> (I'm using OpenSSL, and they recommend this post connection assertion).
>
> I have two questions thou:
>
> 1 - What name should I use for comparison when accepting a connection?
> Usually only the UAC will demand certificate, I am concerned with
> te case of
> two proxies trying to connect using TLS and the UAS proxy asking
> for client
> certificates. (what uri will the UAS proxy has, there is no message yet).
>
> 2 - how should broken connection be handled? lets say UAC1 sent a request
> over TLS to UAS1. the handshake went well and the request sent. than for
> some reason, the connection was broken and UAS1 now needs to
> reestablish the
> connection. What should UAS1 do? use TLS w/out certificates?
>
>
> Regards,
> Eron Stein
>
> _________________________________________________________________
> The new MSN 8: advanced junk mail protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip
>

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] TLS post connection verification
  - From: Jonathan Rosenberg
- Re: [Sip] TLS post connection verification
  - From: Eric Rescorla

References:
- [Sip] TLS post connection verification
  - From: Eron Stein

Prev by Date: [Sip] RE: [Simple] [Fwd: RE: SIP WG bugzilla instance]
Next by Date: Re: [Sip] TLS post connection verification
Previous by thread: [Sip] TLS post connection verification
Next by thread: Re: [Sip] TLS post connection verification
Index(es):
- Date
- Thread