5 Oct
2005
5 Oct
'05
11:10 p.m.
Hi everybody,
I want to test openser 0.10.x and its TLS capabilities. Therefore I plan
to install two proxies, sip.atlanta.com and sip.biloxi.com. Two users,
alice(a)atlanta.com and sip.biloxi.com, should communicate over the two
proxies secured by TLS. The UAs are snom360 phones.
------------------- -----------------
----------------- -----------------
| alice(a)atlanta.com | <-------> | sip.atlanta.com | <-------> |
sip.biloxi.com | <-------> | bob(a)biloxi.com |
------------------- -----------------
----------------- -----------------
Mutual authentication should take place between the UAC and the outbound
proxy, the two proxies and between the inbound proxy and the UAS.
The problem is that I am not sure about the organisation of the
certificate's infrastructure. I don't know which would be the best
solution to implement.
So please look at my suggestions and feel free to you make your comments.
1.. user certificate for alice(a)atlanta.com
2.. server certificate for sip.atlanta.com
3.. server certificate for sip.biloxi.com
4.. user certificate for bob.biloxi.com
The root certificate is self signed (Does this work with openser?)
a.) One common CA (=root) signs all components.
-----------
| CA |
-----------
/ / \ \
/ / \ \
/ | | \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual import of the
other domains root certificate takes place.
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
c.) One common root signs two CAs which sign their proxy and UA.
-----------
| root-cert |
-----------
/ \
/ \
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
Thank you very much for your help!
regards,
Philipp
6 Oct
6 Oct
2:42 a.m.
Hi,
All the structures you presented are valid and will work with openser
(openSSL in general).
The internal validation of the exchanged certs against the trusted roots can
be of several layers
(i think it is limited in openser's tls implementation, but for sure you can
have at least 5 levels).
Just add the CA's public key to the trusted certs file and voila! Note that
for option C you don't need
to add the root cert, just the two CA's certs.
See that the UA needs only the cert from its local proxy ... TLS is
hop-by-hop, so it doesn't care about
the remote proxy.
The simplest and easiest (if it is for testing purposes i mean) to implement
is option A, though if the
domains are separated/independant you most probably want something like
option C (each CA
generates certs for its local users, no need to "buy" a cert for each user
from a "real"
Certificate Authority, which cost money :D)
By the way ... the self-signed cert ... it will definitely work. That is the
main point of open stuff, right?
Regards,
Cesc
On 10/5/05, Alexander Ph. Lintenhofer <lintenhofer(a)aon.at> wrote:
Hi everybody,
I want to test openser 0.10.x and its TLS capabilities. Therefore I plan
to install two proxies, sip.atlanta.com <http://sip.atlanta.com> and
sip.biloxi.com <http://sip.biloxi.com>. Two users,
alice(a)atlanta.com and sip.biloxi.com <http://sip.biloxi.com>, should
communicate over the two
proxies secured by TLS. The UAs are snom360 phones.
------------------- -----------------
----------------- -----------------
| alice(a)atlanta.com | <-------> | sip.atlanta.com <http://sip.atlanta.com>|
<-------> |
sip.biloxi.com <http://sip.biloxi.com> | <-------> | bob(a)biloxi.com |
------------------- -----------------
----------------- -----------------
Mutual authentication should take place between the UAC and the outbound
proxy, the two proxies and between the inbound proxy and the UAS.
The problem is that I am not sure about the organisation of the
certificate's infrastructure. I don't know which would be the best
solution to implement.
So please look at my suggestions and feel free to you make your comments.
1.. user certificate for alice(a)atlanta.com
2.. server certificate for sip.atlanta.com <http://sip.atlanta.com>
3.. server certificate for sip.biloxi.com <http://sip.biloxi.com>
4.. user certificate for bob.biloxi.com <http://bob.biloxi.com>
The root certificate is self signed (Does this work with openser?)
a.) One common CA (=root) signs all components.
-----------
| CA |
-----------
/ / \ \
/ / \ \
/ | | \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual
import of the other domains root certificate takes place.
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
c.) One common root signs two CAs which sign their proxy and UA.
-----------
| root-cert |
-----------
/ \
/ \
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
Thank you very much for your help!
regards,
Philipp
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
6995
days inactive
6995
days old
1 comments
2 participants
participants (2)
-
Alexander Ph. Lintenhofer -
Cesc