-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Is there a possibility to check a client certificate against a CRL? Is this allready implemented or are there planes to do such?
Is it a good idea to use client certs? Or is the effort to realice that to much? Cause the benefits from authenticating a client only for the TLS connection isn't that much. And authentication against a DB is done later on in OpenSER as well. (authentication is done twice)
What do you think?
chris...
Christoph Fürstaller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Is there a possibility to check a client certificate against a CRL? Is this allready implemented or are there planes to do such?
It is not implemented in openser. I have no plans, but it is easy to do: There are certain openSSL functions to load the CRL list. You only have to add a configuration parameter for the location of the CRL, and then during initiation of the TLS domains load the CRL.
Is it a good idea to use client certs? Or is the effort to realice that to much? Cause the benefits from authenticating a client only for the TLS connection isn't that much. And authentication against a DB is done later on in OpenSER as well. (authentication is done twice)
When using SIP digest authentication to authenticate, IMO there is no need to require a certificate from the SIP client.
regards klaus
What do you think?
chris... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEPPHbR0exH8dhr/YRAncQAJ9IEd6eO4cxgeoIna39VwAKnCoz9QCeNEtr AjCFWx/cTjDcUBBe+EvBQFs= =fZHN -----END PGP SIGNATURE-----
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Christoph Fürstaller -
Klaus Darilion