On 11/07/2011 03:47 PM, Iñaki Baz Castillo wrote: > Hi, when I contact https://github.com I get two certificates: > > > 1) "CA: DigiCert High Assurance EV CA-1". This is *not* a Root CA > certificate, instead it is issued/signed by a Root CA named "DigiCert > High Assurance EV Root CA". > > 2) Github own certificate. This is issued/signed by the previous > certificate ("CA: DigiCert High Assurance EV CA-1"). > > > So my web browser (that includes the list of Root CA certificates) > inspects both certificates, realizes that the first one is an > intermediate CA certificate, verifies it and then verifies the second > certificate using it. So the TLS connection gets verified. > > > Now my question: is it possible the same in SIP? this is, can a SIP > device (UAC, proxy, UAS) present two certificates as above? I've never > read about it for SIP.
This behavior is part of TLS itself, not the application protocol. Your 'web browser' doesn't inspect the certificates at all, it asks the TLS library that it uses to do so (and probably also indicates where the list of 'trusted CA certificates' exists on your system). I believe this should work just fine for SIP UAs that are using SIP over TLS; the certificate exchange(s) will occur during the TLS negotiation and the TLS libraries at both ends will validate them before telling the application layer that the connection has been established. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: [email protected] | SIP: [email protected] | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
