I want to implement sip over TLS and I have encountered a problematic question:
The question concerns a situation where an incoming connection has to be authenticated with TLS, that is TLS handshake with client certificates. (That might be the situation between two proxies).
As I understand it the side that initiated the connection has no problem authenticating the certificate since it knows the connection's desired destination, and can compare that destination address to the addresses found in the certificate.
The problem is with the side that receives the connection (the server). What domain-name/ip should that proxy use to check if the certificate matches the connection address.
One possibility is to check the certificate against the source address of the incoming connection, that option might be problematic if the certificate contains a FQDN rather than a specific IP address.
Another possibility is to wait for the first message on the connection and compare the host field from the VIA header the the common name in the certificate.
I would appreciate any comments, ideas or real world implementation data on the matter.
Regards, Eron Stein.
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
_______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
