2011/11/8 Kevin P. Fleming <[email protected]>: >> So my web browser (that includes the list of Root CA certificates) >> inspects both certificates, realizes that the first one is an >> intermediate CA certificate, verifies it and then verifies the second >> certificate using it. So the TLS connection gets verified. >> >> >> Now my question: is it possible the same in SIP? this is, can a SIP >> device (UAC, proxy, UAS) present two certificates as above? I've never >> read about it for SIP. > > This behavior is part of TLS itself, not the application protocol. Your > 'web browser' doesn't inspect the certificates at all, it asks the TLS > library that it uses to do so (and probably also indicates where the > list of 'trusted CA certificates' exists on your system). > > I believe this should work just fine for SIP UAs that are using SIP over > TLS; the certificate exchange(s) will occur during the TLS negotiation > and the TLS libraries at both ends will validate them before telling the > application layer that the connection has been established.
Thanks. The point here is that I'm also coding the TLS part so I need to know how to accomplish it :) But I've it already working. Indeed, as you say, OpenSSL allows verifying a certificate given not just such certificate but also other intermediate CA certificate(s), so finally Root CA's (present in the system) validate the intermediate CA and the intermediate validates the domain certificate. So it get verified :) Also, in order to present two certificates (the domain certificate and the intermediate CA), the way to do that is by concatenating both certificates (first the domain certificate). Regards. -- Iñaki Baz Castillo <[email protected]> _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
