Hi! If a TLS connection fails - can't agree on cipher, TLS certificate failure or something similar - is that a failure according to RFC 3263 that makes a client try next possible connection in the list?
RFC 3263: "For SIP requests, failure occurs if the transaction layer reports a 503 error response or a transport failure of some sort (generally, due to fatal ICMP errors in UDP or connection failures in TCP). Failure also occurs if the transaction layer times out without ever having received any response, provisional or final (i.e., timer B or timer F in RFC 3261 [1] fires). " RFC 3261, 26.2.2 (SIPS discussion) "Certificates received in the authentication process SHOULD be validated with root certificates held by the client; failure to validate a certificate SHOULD result in the failure of the request." I don't see any discussion about this in RFC 5922 (SIP Domain certs) or 5630 (Clarification of SIPS). Personally I would like to treat TLS failures of this kind as a transport error so that a UA can continue trying in the SRV list. An UPSIDE in the light of Opporunistic Security (RFC 7435) would be that I can set up a REALLY, REALLY secure TLS 1.2 server on the first priority. On the second priority I can set up something that would enable encryption for poor TLS implementations, but not be treated as secure connections (in the OS style). /O _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
