[SIP Beyond VoIP] TLS certificate of sip2sip.info is "wrong"

Iñaki Baz Castillo ibc at aliax.net
Wed Jan 22 15:41:56 CET 2014


2014/1/22 Iñaki Baz Castillo <ibc at aliax.net>:
> 2014/1/22 Adrian Georgescu <ag at ag-projects.com>:
>> I believe the cert is bound to the A record where the client attempts to connect after NAPTR and SRV record lookups. A domain is served by different A records for different services and the client should use the A record name for validation rather than the original domain.
>
> Hi Adrian!
>
> Honestly, I must re-check it, but for now I will say that AFAIR I am
> right and you are wrong, so the domain in the certificate must match
> the *original* SIP domain the client is connecting to, this is: the
> domain in the Request-URI !


Adrian, look at this please:


RFC 5922:


7.3.  Client Behavior

   A client uses the domain portion of the SIP AUS to query a (possibly
   untrusted) DNS to obtain a result set, which is one or more SRV and A
   records identifying the server for the domain (see Section 4 for an
   overview).

   The SIP server, when establishing a TLS connection, presents its
   certificate to the client for authentication.  The client MUST
   determine the SIP domain identities in the server certificate using
   the procedure in Section 7.1.  Then, the client MUST compare the
   original domain portion of the SIP AUS used as input to the RFC 3263
   [8] server location procedures to the SIP domain identities obtained
   from the certificate.


So let me say that I am right ;)




-- 
Iñaki Baz Castillo
<ibc at aliax.net>


More information about the SIPBeyondVoIP mailing list