On 11/08/2011 02:54 PM, Iñaki Baz Castillo wrote: > 2011/11/8 Kevin P. Fleming<[email protected]>: >>> So my web browser (that includes the list of Root CA certificates) >>> inspects both certificates, realizes that the first one is an >>> intermediate CA certificate, verifies it and then verifies the second >>> certificate using it. So the TLS connection gets verified. >>> >>> >>> Now my question: is it possible the same in SIP? this is, can a SIP >>> device (UAC, proxy, UAS) present two certificates as above? I've never >>> read about it for SIP. >> >> This behavior is part of TLS itself, not the application protocol. Your >> 'web browser' doesn't inspect the certificates at all, it asks the TLS >> library that it uses to do so (and probably also indicates where the >> list of 'trusted CA certificates' exists on your system). >> >> I believe this should work just fine for SIP UAs that are using SIP over >> TLS; the certificate exchange(s) will occur during the TLS negotiation >> and the TLS libraries at both ends will validate them before telling the >> application layer that the connection has been established. > > Thanks. The point here is that I'm also coding the TLS part so I need > to know how to accomplish it :) > > But I've it already working. Indeed, as you say, OpenSSL allows > verifying a certificate given not just such certificate but also other > intermediate CA certificate(s), so finally Root CA's (present in the > system) validate the intermediate CA and the intermediate validates > the domain certificate. So it get verified :) > > Also, in order to present two certificates (the domain certificate and > the intermediate CA), the way to do that is by concatenating both > certificates (first the domain certificate).
Right; all of this is standard TLS behavior, and doesn't have to be modified for SIP at all. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: [email protected] | SIP: [email protected] | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
