On Thu, May 21, 2015 at 10:23 AM, Iñaki Baz Castillo <i...@aliax.net> wrote:
> 2015-05-20 23:13 GMT+02:00 Roman Shpount <ro...@telurix.com>: > > I think RFC 7118 example 8.2 is missing that language that WSS is used > based > > on the local client policy. This would make the entire example correct > and > > compliant with RFC 3621. From my point of view this is more of an > editorial > > nit, then the actual specification issue, but this can be discussed in > more > > details in sipcore. > > Let's clarify that in all the examples the client is connecting to an > Outbound proxy, so it makes LOT of sense that it wants to keep and > reuse the single connection it opened with the Outbound proxy for any > future request (initial or in-dialog). That's seems "implicit local > policy" IMHO, but yes, it should be specified somewhere. > > And IMHO the issue is in > http://tools.ietf.org/html/rfc5630#section-3.1.3. Let continue with > it: > > -------------------------------------- > If one wants to use "best-effort TLS" for SIP, one just needs to use > a SIP URI, and send the request over TLS. > > Using SIP over TLS is very simple. A UA opens a TLS connection and > uses SIP URIs instead of SIPS URIs for all the header fields in a SIP > message (From, To, Request-URI, Contact header field, Route, etc.). > When TLS is used, the Via header field indicates TLS. > --------------------------------------- > > There is the "problem". Given that initial "sip" INVITE sent over TLS, > how is supposed the proxy to indicate the client that it should send > ACK and any in-dialog request over the same connection? There is no > way for the proxy to indicate that, and there is the problem IMHO. > > I agree there is a real use case for the proxy to specify that it wants to use "best effort TLS" for one hop only. I doubt we will get it adopted though, since IETF now adapted a policy that everything must be secure, so they will not adopt "partially secure" solutions. In general, some sort of language that in practical deployments client would typically use a local policy to send all the SIP messages through a pre-configured WSS proxy would make a lot of sense. _____________ Roman Shpount _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
