Hi everybody,
I want to test openser 0.10.x and its TLS capabilities. Therefore I plan
to install two proxies, sip.atlanta.com and sip.biloxi.com. Two users,
[EMAIL PROTECTED] and sip.biloxi.com, should communicate over the two
proxies secured by TLS. The UAs are snom360 phones.
------------------- -----------------
----------------- -----------------
| [EMAIL PROTECTED] | <-------> | sip.atlanta.com | <-------> |
sip.biloxi.com | <-------> | [EMAIL PROTECTED] |
------------------- -----------------
----------------- -----------------
Mutual authentication should take place between the UAC and the outbound
proxy, the two proxies and between the inbound proxy and the UAS.
The problem is that I am not sure about the organisation of the
certificate's infrastructure. I don't know which would be the best
solution to implement.
So please look at my suggestions and feel free to you make your comments.
1.. user certificate for [EMAIL PROTECTED]
2.. server certificate for sip.atlanta.com
3.. server certificate for sip.biloxi.com
4.. user certificate for bob.biloxi.com
The root certificate is self signed (Does this work with openser?)
a.) One common CA (=root) signs all components.
-----------
| CA |
-----------
/ / \ \
/ / \ \
/ | | \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual import
of the other domains root certificate takes place.
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
c.) One common root signs two CAs which sign their proxy and UA.
-----------
| root-cert |
-----------
/ \
/ \
----- -----
|CA A | |CA B |
----- -----
/ \ / \
--- --- --- ---
|1| |2| |3| |4|
--- --- --- ---
Thank you very much for your help!
regards,
Philipp
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
