On 12/9/04 4:46 AM, "Todd Huang" <[EMAIL PROTECTED]> wrote:
> Mr. Jennings: > > Thanks for your kindly answer. > > Followings are some questions about the SIP TLS implemantation. > > 1. Can the established TLS channel be hold for the subsequent SIP messages? > For example, yes > the client established the TLS channel with the proxy server before > sending the Register > message. Will the client send close_notify alert right after receiving > the 200 OK from the > server? Or the client can continuously using this TLS channel for the > upcoming incoming > or outgoing call? > > I had seen one implementation for the client to send close_notify alert > right after the 401 > response. The client then established a new TLS channel to complete the > SIP challenge > response process. Is it correct? > The TLS channels should be kept up for a ling time and can be used for many transaction. It should not be re setup for each transaction > 2. Should the client get the server's certificate in advance to build the > trusted CA list in order > to verify server's certificate? How can we build the trusted CA list on > client side? No it can get the cert when it does the TLS handshake, but it does need to have a list of trusted roots - I suggest the UA should have a configurable list certificates for trusted roots > > 3. I saw some document mentioned about the "name source verification" > topic. The client should > verify that the DNS name of the server matches the names found in the > server certificate. This is partially bogus. > Since the DNS name might be in IP address or FQDN format, how can the > client check it? The client has a server it is trying to connect to. Say my aor is [EMAIL PROTECTED] - It tries to connect to fluffy.com. This can result in NATPR, SRV, CNAME, AAAA, A record lookup and will eventually resolve to an IP. You connect to the IP - and the TLS server presents a cert. That cert MUST has an SubjectAltName with a DNS type entry and says "cisco.com" or the TLS connection should be shut down. The SubjectALtName has to match the name you originally tried to connect too. Otherwise the TLS can be connected to a man in the middle. Does this make sense? Not sure I explained it very well > > Thanks. > > Todd > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
