See inline ...
On 10/9/05, Alexander Ph. Lintenhofer lintenhofer@aon.at wrote:
Hello Cesc,
Thanks for your answer!
If you want just one setup, then you are forced to use the "less
secure" setup so that your UAs can support it. I think this is not a sufficient solution. Maybe it's possible to make black- or whitelists for authentication rules in future developments (just an quick'n'dirty idea).
Do you mean something like: if connecting ip:port is in white list, apply a less restrictive tls authentication (do not require peer cert) if connectin ip:port is not in white list or in black list, demand a stronger auth Is that it? Note that you can only do this lists based on ip:port, as TLS setup is previous to any sip exchange.
What i really think it could work is to create a function (probably in a tls_utils module), which may allow to perform the extra verification that you could not when tls setup. I mean, you setup all tls asking for a certificate from the other peer, but do not require that it sends it. Then, from within the config file, you could use a special function and force ser to perform the extra verification on the tls (equivalent to tls_require_cert=1)
Just a thought ...
With NAPTR-lookup support, the t_relay_to_tls("specific
domain","specific port") function could also be serviced by t_relay(), or am I wrong?
Indeed, it should work. I don't know if ser uses the lookups correctly ... t_relay should already work if your endpoint registered the contact over tls (transport=tls). For inter-proxy, either you rely on naptr or use the t_relay_to_tls.
Regards,
Cesc