[reSIProcate] proposed changes to cert-derived peer name handling

Rohan Mahy rohan at ekabal.com
Sun Mar 26 10:18:11 CST 2006 

Regarding matching the subject instead of the subjectAltName, I think 
the right thing to do is use only the subjectAltName if it is present 
(and ignore the subject).  If there is no subjectAltName, use the 
subject.

thanks,
-rohan



On Mar 25, 2006, at 14:55, derek at counterpath.com wrote:

> I did some throwaway like this last sipsit & it wasn't too hard. 
> However,
> what sip certs will look like is still an open question. I doubt anyone
> will issue certs. which have more than onve subjetAltName which down't
> share a common subdomain, and I would be nervous if I saw a cert like
> that.
>
> However, the proxy.foo.com and foo.com both being in the subjetAltName
> seems reasonable, and better than cname matching. Should it be 
> possible to
> disable commonName matching?
>
>
> Scott Godin said:
>> I think we definitely need to do this.  Should we also add the 
>> commonName
>> to
>> the list of peer names?
>> A good reference is the code in the sipX project:
>> http://scm.sipfoundry.org/rep/sipX/main/sipXportLib/src/os/OsSSL.cpp
>> search for peerIdentity.
>> We should probably also expose a method to retrieve the list.
>>
>> Scott
>>
>>
>> -----Original Message-----
>> From: resiprocate-devel-bounces at list.sipfoundry.org
>> [mailto:resiprocate-devel-bounces at list.sipfoundry.org] On Behalf Of 
>> Rohan
>> Mahy
>> Sent: Friday, March 24, 2006 7:26 PM
>> To: resiprocate-devel at list.sipfoundry.org
>> Cc: Rohan Mahy
>> Subject: [reSIProcate] proposed changes to cert-derived peer name 
>> handling
>>
>> Hi,
>>
>> Currently we have the getPeerName function which returns a Data.  In
>> addition to the (minor) overhead of creating a Data, the function only
>> works
>> if there is a single sip or sips URI in the subjectAltName.  The
>> subjectAltName can actually contain a stack of URIs here and it could 
>> be
>> reasonable to get a certificate that covers both sip:sip.example.com 
>> and
>> sip:example.com.
>>
>> I think we should add a new function with the following signature:
>>
>> bool matchesPeerName(Uri)
>>
>> This would just check the Uri to see if it is in the stack of names 
>> from
>> the
>> subjectAltName and return yes or no.
>>
>> thoughts?
>>
>> thanks,
>> -rohan
>>
>> _______________________________________________
>> resiprocate-devel mailing list
>> resiprocate-devel at list.sipfoundry.org
>> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>>
>> _______________________________________________
>> resiprocate-devel mailing list
>> resiprocate-devel at list.sipfoundry.org
>> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>>
>

More information about the resiprocate-devel mailing list