2011/10/3 Evgeniy Khramtsov <xramt...@gmail.com>: >> Since most of the SIP clients don't yet examine such SubjectAltName in >> a received certificate, and none of them implements SNI, I strongly >> think that it's much better for them to implement SubjectAltName >> inspection (which is already defined for SIP) rather than implementing >> SNI. >> >> Regards. > > As I understand, SubjectAltName won't work for virtual servers holding > lots of separate certificates and listening on the same port.
Why not? the client wants to establish a TLS connection with domain "example1.org", so after DNS procedures it establishes a TLS connection with the server and the server sends its TLS certificate. Such certificate contains varios SubjectAltName fields with values: - sip:example1.org - sip:example2.org - sip:example3.org The client checks that "sip:example1.org" is present so *that's all*. And this is clearly explained in RFC 5922 (which updates RFC 3261): http://tools.ietf.org/html/rfc5922#section-7.1 Regards. -- Iñaki Baz Castillo <i...@aliax.net> _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
