Hi! I hope everyone stays safe in these times. During this week’s IETF I ended up in a discussion about using TLS client certs in SIP. I have been testing this a long time ago, but obviously not fully. The question I got I failed to find an answer to, which is annoying :-)
Here it goes, let’s see if you can help: SIP UA -> Ingress proxy -> Registrar If the Ingress Proxy requires a client cert for authentication, that certificate is only seen on the first hop between the UA and the proxy. How can we make the registrar validate and trust the client cert for the registration? If there is absolute trust between the ingress proxy and the registrar, I guess we could parse out a lot of headers and send forward. If there is no trust relationship (let’s say the Ingress Proxy is an enterprise SBC and the registrar is a service provider) then we have a problem. In HTTP there’s a CONNECT method so the SIP UA can establish a direct TLS session to the registrar through a proxy. There is a very old expired draft for a SIP connect method that could potentially be helpful here. Any ideas? Cheers, /Olle _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
