HI, My answers are inline:
On Fri, Nov 17, 2017 at 3:21 PM, Alex Balashov <[email protected]> wrote: > A few questions about TLS. I apologise that they're kind of idiotic, I'm > new to SIP over TLS. I have been a big supporter of LetsDecrypt, a > certificate authority sponsored by the NSA. :-) > > 1. Are wildcard certificates (commonName of *.domain.com) permitted for > SIP-TLS? > > Is this true in the wild? If so, how to deal with a SIP server that > serves multiple domains but supports only one certificate and key pair? > This is true for at least some implementations. Your commonName must match the DNS name exactly. Keep in mind that if SRV records are used, commonName must match DNS name in the SRV record, not the host name in SIP URL. > 2. Is ';transport=tls' or ';transport=TLS' appropriate? I've seen both, > but which one is correct? > Neither. sips URL implies TLS transport. SIP can be used with transport=udp or transport=tcp, but not with transport=tls, which is not defined. There are multiple implementations that use sip URLs with transport=tls, but these are not standard. Also, transport URL parameter is not case sensitive, so ';transport=tls' and ';transport=TLS' should mean the same thing. > 3. Does a 'sips:' URI scheme imply ';transport=tls', or must the latter > be explictly included? In other words, will a 'sips:' URI like > 'sips:[email protected]' be constructed to be > 'sips:[email protected];transport=tls'? > See above. There is no 'transport=tls' defined. sips requires end-to-end use of TLS and does not allow any other transports. > 4. Is a 'sips:' URI scheme mandatory for secure transport? What are the > implications of a 'sip:' URI with ';transport=tls' affixed? > sips means end-to-end secure transport. It means that all Route URLs should be sips as well. Transport tls with sip URL is used to indicate that only specific hop is secure and other Route URLs can use other transports. This is how, for instance, OpenSIPS is using it. 5. Is it permitted for a proxy to bend a 'sips:' Request URI scheme to > 'sip:' when adapting TLS to an insecure transport? > No, according to the specifications, it is not allowed for the proxy to change sips to sip. There are numerous implementations which still do it. Regards, _____________ Roman Shpount _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
