[SIP Beyond VoIP] TLS certificate of sip2sip.info is "wrong"

Adrian Georgescu ag at ag-projects.com
Wed Jan 22 15:43:03 CET 2014

To be honest I lost track of this myself. Maybe I was wrong all the way. We use this setup for years and I forgot what we did it like this. Actually, one reasons I recall was cost. We have many Internet domains with many services like mail, sip, xmpp all of them resolve to hostnames under the same domain sipthor.net. This way we can reuse a *.sipthor.net wildcard domain for all infrastructure. Otherwise we would need infinite amout of money for  all possible combinations of domains and services.

On 22 Jan 2014, at 12:38, Iñaki Baz Castillo <ibc at aliax.net> wrote:

> 2014/1/22 Adrian Georgescu <ag at ag-projects.com>:
>> I believe the cert is bound to the A record where the client attempts to connect after NAPTR and SRV record lookups. A domain is served by different A records for different services and the client should use the A record name for validation rather than the original domain.
> Hi Adrian!
> Honestly, I must re-check it, but for now I will say that AFAIR I am
> right and you are wrong, so the domain in the certificate must match
> the *original* SIP domain the client is connecting to, this is: the
> domain in the Request-URI !
> Regards.
> -- 
> Iñaki Baz Castillo
> <ibc at aliax.net>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ag-projects.com/pipermail/sipbeyondvoip/attachments/20140122/d9d4149e/attachment.pgp>

More information about the SIPBeyondVoIP mailing list