8 nov 2011 kl. 22:06 skrev Kevin P. Fleming: > On 11/08/2011 02:54 PM, Iñaki Baz Castillo wrote: >> 2011/11/8 Kevin P. Fleming<[email protected]>: >>>> So my web browser (that includes the list of Root CA certificates) >>>> inspects both certificates, realizes that the first one is an >>>> intermediate CA certificate, verifies it and then verifies the second >>>> certificate using it. So the TLS connection gets verified. >>>> >>>> >>>> Now my question: is it possible the same in SIP? this is, can a SIP >>>> device (UAC, proxy, UAS) present two certificates as above? I've never >>>> read about it for SIP. >>> >>> This behavior is part of TLS itself, not the application protocol. Your >>> 'web browser' doesn't inspect the certificates at all, it asks the TLS >>> library that it uses to do so (and probably also indicates where the >>> list of 'trusted CA certificates' exists on your system). >>> >>> I believe this should work just fine for SIP UAs that are using SIP over >>> TLS; the certificate exchange(s) will occur during the TLS negotiation >>> and the TLS libraries at both ends will validate them before telling the >>> application layer that the connection has been established. >> >> Thanks. The point here is that I'm also coding the TLS part so I need >> to know how to accomplish it :) >> >> But I've it already working. Indeed, as you say, OpenSSL allows >> verifying a certificate given not just such certificate but also other >> intermediate CA certificate(s), so finally Root CA's (present in the >> system) validate the intermediate CA and the intermediate validates >> the domain certificate. So it get verified :) >> >> Also, in order to present two certificates (the domain certificate and >> the intermediate CA), the way to do that is by concatenating both >> certificates (first the domain certificate). > > Right; all of this is standard TLS behavior, and doesn't have to be > modified for SIP at all.
While it's part of TLS and certainly part of OpenSSL i'm not that sure that every TLS/SSL implementation supports this. EVen in Apache, which use OpenSSL, you have a separate configuration setting. There are reasons to inform developers about this need, and the need for testing it. We should add intermediate certs to the SIPit TLS test suite. /O _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
