15 Oct
2009
15 Oct
'09
3:05 a.m.
Jan Janak wrote:
Klaus,
On Tue, Oct 13, 2009 at 2:19 PM, Klaus Darilion
<klaus.mailinglists(a)pernau.at> wrote:
But this only works for newly established connections, right? When a
connection is already established (possibly with a different SSL
context or when it is initiated from the other side), the code won't
change the SSL context. Do I get it right?
Hi Jan!
I can't remember anymore how I implemented it. IIRC, if the the
"TLS_AVP" was set, the TLS "client" did not tried a matching "TLS
domain" based on IP:port, but on the string in the AVP.
This could be used for example, to use a certain client certificate and
CA-file depending on the called domain, regardless of the destination
IP:port.
Yes, this worked only for outgoing connections. For incoming
connections, I think the server_name extension can help a bit, but even
better would be support for "trusted_ca_keys".
Regarding existing connections - I do not know, I can't remember anymore.
regards
klaus
[...]
Is this still valid - that we only configure tls on IP?
"name based" TLS
"domains" were supported in Kamailio core, based on an AVP
set in script.