Re: [reSIProcate] proposed changes to cert-derived peer name handling

[Rohan Mahy <rohan@xxxxxxxxxx>]

Regarding matching the subject instead of the subjectAltName, I think 
the right thing to do is use only the subjectAltName if it is present 
(and ignore the subject).  If there is no subjectAltName, use the 
subject.

thanks,
-rohan



On Mar 25, 2006, at 14:55, derek@xxxxxxxxxxxxxxx wrote:

> I did some throwaway like this last sipsit & it wasn't too hard. 
> However,
> what sip certs will look like is still an open question. I doubt anyone
> will issue certs. which have more than onve subjetAltName which down't
> share a common subdomain, and I would be nervous if I saw a cert like
> that.
>
> However, the proxy.foo.com and foo.com both being in the subjetAltName
> seems reasonable, and better than cname matching. Should it be 
> possible to
> disable commonName matching?
>
>
> Scott Godin said:
> > I think we definitely need to do this.  Should we also add the 
> > commonName
> > to
> > the list of peer names?
> > A good reference is the code in the sipX project:
> > http://scm.sipfoundry.org/rep/sipX/main/sipXportLib/src/os/OsSSL.cpp
> > search for peerIdentity.
> > We should probably also expose a method to retrieve the list.
> >
> > Scott
> >
> >
> > -----Original Message-----
> > From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx
> > [mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> > Rohan
> > Mahy
> > Sent: Friday, March 24, 2006 7:26 PM
> > To: resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> > Cc: Rohan Mahy
> > Subject: [reSIProcate] proposed changes to cert-derived peer name 
> > handling
> >
> > Hi,
> >
> > Currently we have the getPeerName function which returns a Data.  In
> > addition to the (minor) overhead of creating a Data, the function only
> > works
> > if there is a single sip or sips URI in the subjectAltName.  The
> > subjectAltName can actually contain a stack of URIs here and it could 
> > be
> > reasonable to get a certificate that covers both sip:sip.example.com 
> > and
> > sip:example.com.
> >
> > I think we should add a new function with the following signature:
> >
> > bool matchesPeerName(Uri)
> >
> > This would just check the Uri to see if it is in the stack of names 
> > from
> > the
> > subjectAltName and return yes or no.
> >
> > thoughts?
> >
> > thanks,
> > -rohan
> >
> > _______________________________________________
> > resiprocate-devel mailing list
> > resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> > https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
> >
> > _______________________________________________
> > resiprocate-devel mailing list
> > resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> > https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel