See inline ...<br><br><div><span class="gmail_quote">On 10/9/05, <b class="gmail_sendername">Alexander Ph. Lintenhofer</b> <<a href="mailto:lintenhofer@aon.at">lintenhofer@aon.at</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello Cesc,<br><br>Thanks for your answer!<br> >If you want just one setup, then you are forced to use the "less<br>secure" setup so that your UAs can support it.<br>I think this is not a sufficient solution. Maybe it's possible to make
<br>black- or whitelists for authentication rules in future developments<br>(just an quick'n'dirty idea).</blockquote><div><br>
Do you mean something like:<br>
if connecting ip:port is in white list, apply a less restrictive tls authentication (do not require peer cert)<br>
if connectin ip:port is not in white list or in black list, demand a stronger auth<br>
Is that it? <br>
Note that you can only do this lists based on ip:port, as TLS setup is previous to any sip exchange. <br>
<br>
What i really think it could work is to create a function (probably in
a tls_utils module), which may allow to perform the extra verification
that you could not when tls setup.<br>
I mean, you setup all tls asking for a certificate from the other peer,
but do not require that it sends it. Then, from within the config file,
you could use a special function and force ser to perform the extra
verification on the tls (equivalent to tls_require_cert=1)<br>
<br>
Just a thought ...<br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">With NAPTR-lookup support, the t_relay_to_tls("specific<br>domain","specific port") function could also be serviced by t_relay(),
<br>or am I wrong?</blockquote><div><br>
Indeed, it should work. I don't know if ser uses the lookups correctly ...<br>
t_relay should already work if your endpoint registered the contact over tls (transport=tls).<br>
For inter-proxy, either you rely on naptr or use the t_relay_to_tls.<br>
<br>
Regards,<br>
<br>
Cesc<br>
<br>
<br>
<br>
</div></div><br>