Benny Prijono wrote: > On Tue, Apr 29, 2008 at 4:27 PM, Klaus Darilion > <klaus.mailinglists at pernau.at> wrote: >> Hi! >> >> Openssl 0.9.8g support the TLS extension "server name" (or also often >> called SNI for server name indication). (when configured with >> "enable-tlsext")[1][2] >> >> If the TLS clients uses the server name extension in the ClientHello, >> the server can host multiple TLS domains on the same socket (because the >> server nows which certificate to present to the client). >> >> I think it would be rather easy for pjsip to add this feature - at least >> for outgoing TLS connection (pjsip = TLS client). > > Yeah it doesn't seem to be too difficult, probably just need to add a > field setting in pjsip_tls_setting and propagate this all the way to > pjsua. > >> Actually there is no SIP proxy yet which supports it, but I have it on >> my Todo list for openser, but found out that I do not have a client for >> testing :-) >> > > Are you going to implement that very soon? Hi Benny. I have implemented the server_name extension in openser. You can test by sending SIP requests to my test proxy: The test proxy is listening on IP 88.198.163.205 port 5061 and port 6061. Port 5061 has configured 3 "virtual" sites: tls-a.deepsec.pernau.at tls-b.deepsec.pernau.at tls-c.deepsec.pernau.at If the TLS client does not present a server_name or it presents a non-matching servername the certificate tls.deepsec.pernau.at will be presented. Port 6061 has also configured 3 "virtual" sites: tls-1.deepsec.pernau.at tls-2.deepsec.pernau.at tls-3.deepsec.pernau.at If the TLS client does not present a server_name or it presents a non-matching servername the certificate tls.deepsec.pernau.at will be presented. If the TLS handshake succeeds, you can send any SIP request and the server should response with "400, p=PROTOCOL, sni=SERVER_NAME". If the server does not respond anymore, just wait a few seconds (maybe I have rebooted it). If it does not respond for some minutes then you like crashed the proxy. Then you should send me an email so that I will analyze the core dump ;-) regards Klaus PS: You can test the server_name stuff also with Firebird browser, e.g.: https://tls-c.deepsec.pernau.at:5061/ > > Cheers > Benny > >> regards >> klaus >> >> [1] >> http://howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch >> [2] https://sni.velox.ch/ >> > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip at lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
