6 jul 2011 kl. 14.24 skrev Olle E. Johansson:
6 jul 2011 kl. 14.03 skrev IƱaki Baz Castillo:
2011/7/6 Olle E. Johansson
<oej(a)edvina.net>et>:
2011/7/6
Olle E. Johansson <oej(a)edvina.net>et>:
> So what does Kamailio say if I have SIPS target URI and my NAPTR doesn't have any
entries for TLS?
Based on RFC 3263 (which I've studied recently in deep) Kamailio
should discard NAPTR records whose "service" field has not SIPS+XXX.
So at the end it's like if there are not NAPTR records.
Then it should perform _sips._tcp SRV for the RURI domain. If there
is, use its records.
If not, the perform A/AAAA DNS resolution for the RURI domain and
choose port 5061 (default por TLS).
And what's the response code if there's no target found?
I asked fot this in sip.implementors. It would be the very same as if
the domain does not exist (A record) which also is unclear which
response deservers. Some people suggested 404, others 604...
As I hate 6XX responses I would generate a 404.
But in case the domain exists but does not listen TLS connections,
then again it's not defined which exact response code to return by the
proxy. Kamailio uses 478 custom response (maybe it's other code). Note
however that due to a limitation in TCP/TLS async mode [*] Kamailio
returns 408 after fr_timer.
[*]
http://sip-router.org/tracker/index.php?do=details&task_id=136
That's interesting.
There are two warning codes registred with IANA that touches SIPS:
380 SIPS Not Allowed: The UAS or proxy cannot process [RFC5630]
the request because the SIPS scheme is not allowed
(e.g., because there are currently no registered
SIPS Contacts).
381 SIPS Required: The UAS or proxy cannot process the [RFC5630]
request because the SIPS scheme is required.
In this case, warning: 381 might be a good one.
Now, how should we do if we forward a response and the certificate doesn't match?
Just drop the response?
There's a new RFC with SIp security call flows, Gotta check that one for reference as
well.