< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

RE: [reSIProcate] proposed changes to cert-derived peer name handling

From: derek@xxxxxxxxxxxxxxx
Date: Sat, 25 Mar 2006 17:55:04 -0500 (EST)

I did some throwaway like this last sipsit & it wasn't too hard. However,
what sip certs will look like is still an open question. I doubt anyone
will issue certs. which have more than onve subjetAltName which down't
share a common subdomain, and I would be nervous if I saw a cert like
that.

However, the proxy.foo.com and foo.com both being in the subjetAltName
seems reasonable, and better than cname matching. Should it be possible to
disable commonName matching?


Scott Godin said:
> I think we definitely need to do this.  Should we also add the commonName
> to
> the list of peer names?
> A good reference is the code in the sipX project:
> http://scm.sipfoundry.org/rep/sipX/main/sipXportLib/src/os/OsSSL.cpp
> search for peerIdentity.
> We should probably also expose a method to retrieve the list.
>
> Scott
>
>
> -----Original Message-----
> From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Rohan
> Mahy
> Sent: Friday, March 24, 2006 7:26 PM
> To: resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> Cc: Rohan Mahy
> Subject: [reSIProcate] proposed changes to cert-derived peer name handling
>
> Hi,
>
> Currently we have the getPeerName function which returns a Data.  In
> addition to the (minor) overhead of creating a Data, the function only
> works
> if there is a single sip or sips URI in the subjectAltName.  The
> subjectAltName can actually contain a stack of URIs here and it could be
> reasonable to get a certificate that covers both sip:sip.example.com and
> sip:example.com.
>
> I think we should add a new function with the following signature:
>
> bool matchesPeerName(Uri)
>
> This would just check the Uri to see if it is in the stack of names from
> the
> subjectAltName and return yes or no.
>
> thoughts?
>
> thanks,
> -rohan
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>

Follow-Ups:
- Re: [reSIProcate] proposed changes to cert-derived peer name handling
  - From: Rohan Mahy

References:
- [reSIProcate] proposed changes to cert-derived peer name handling
  - From: Rohan Mahy
- RE: [reSIProcate] proposed changes to cert-derived peer name handling
  - From: Scott Godin

Prev by Date: RE: [reSIProcate] proposed changes to cert-derived peer name handling
Next by Date: Re: [reSIProcate] proposed changes to cert-derived peer name handling
Previous by thread: RE: [reSIProcate] proposed changes to cert-derived peer name handling
Next by thread: Re: [reSIProcate] proposed changes to cert-derived peer name handling
Index(es):
- Date
- Thread