[Sip-implementors] Some TLS questions

Fri, 17 Nov 2017 12:21:52 -0800 

Hi,

A few questions about TLS. I apologise that they're kind of idiotic, I'm
new to SIP over TLS. I have been a big supporter of LetsDecrypt, a
certificate authority sponsored by the NSA. :-)

1. Are wildcard certificates (commonName of *.domain.com) permitted for
SIP-TLS?

RFC 5922 ยง 7.2 seems to suggest they are not:

   Implementations MUST NOT match any form of wildcard, such as a
   leading "." or "*." with any other DNS label or sequence of
   labels.  For example, "*.example.com" matches only
   "*.example.com" but not "foo.example.com".  Similarly,
   ".example.com" matches only ".example.com", and does not match
   "foo.example.com".

      RFC 2818 [7] (HTTP over TLS) allows the dNSName component to
      contain a wildcard; e.g., "DNS:*.example.com".  RFC 5280
      [6], while not disallowing this explicitly, leaves the
      interpretation of wildcards to the individual specification.
      RFC 3261 [2] does not provide any guidelines on the presence
      of wildcards in certificates.  Through the rule above, this
      document prohibits such wildcards in certificates for SIP
      domains.

Is this true in the wild? If so, how to deal with a SIP server that
serves multiple domains but supports only one certificate and key pair?

2. Is ';transport=tls' or ';transport=TLS' appropriate? I've seen both,
but which one is correct?

3. Does a 'sips:' URI scheme imply ';transport=tls', or must the latter
be explictly included? In other words, will a 'sips:' URI like
'sips:5551...@domain.com' be constructed to be
'sips:5551...@domain.com;transport=tls'?

4. Is a 'sips:' URI scheme mandatory for secure transport? What are the
implications of a 'sip:' URI with ';transport=tls' affixed?

5. Is it permitted for a proxy to bend a 'sips:' Request URI scheme to
'sip:' when adapting TLS to an insecure transport?

Many thanks!

-- Alex

-- 
Alex Balashov | Principal | Evariste Systems LLC

Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) 
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to