|
List Info
Thread: RE: MTLS
|
|
| RE: MTLS |
|
2006-05-25 16:59:55 |
Also, I had no success working with LCS and the SSLv23, it
fails
immediately where the TLSv1 gets me further along.
Kenny.
-----Original Message-----
From: repro-devel-bounces list.sipfoundry.org
[mailto:repro-devel-bounceslist.sipfoundry.org] On
Behalf Of Kenny
Goers
Sent: Thursday, May 25, 2006 11:51 AM
To: Scott Godin; repro-devellist.sipfoundry.org
Subject: RE: [repro-devel] MTLS
I've been working this issue with Live Communication
Server.
I have had the current version of Repro connected with TLS
between two
servers, I will chime in on this later today, I'm just to
buried to
write it up at the moment, but I also plan on writing a
document on this
add adding it to the documentation.
I have had some success with LCS and outbound connections
(Repro->LCS),
which seems to work OK, but I haven't completed this step
do to
certificate requirements for LCS. But the LCS->Repro
connection
completely fails in the OpenSSL layer, and I haven't
determined why.
Kenny.
-----Original Message-----
From: Scott Godin [mailto:slgodinicescape.com]
Sent: Thursday, May 25, 2006 10:47 AM
To: Kenny Goers; repro-devellist.sipfoundry.org
Subject: RE: [repro-devel] MTLS
To connect to LCS with TLS the addTransport call must
specify a security
type of SSLv23. Since repro does not specify this argument
(it uses the
default of TLSv1) - it will not work as is. You must modify
the
addTransport code in repro.cxx in order to get this to work.
Note: We
should add a command line switch for this.
As for MTLS - this simply means that the both client and
server ends of
the TLS connection perform certificate and domain name
validation.
Repro does not perform MTLS connection checks (it does
client side
checks only), but it can be used with systems that do -
since it will
provide its certificate to the far end, if/when requested.
Scott
> -----Original Message-----
> From: repro-devel-bounceslist.sipfoundry.org
[mailto:repro-devel-
> bounceslist.sipfoundry.org] On Behalf Of Kenny Goers
> Sent: Wednesday, May 24, 2006 9:50 AM
> To: repro-devellist.sipfoundry.org
> Subject: [repro-devel] MTLS
>
>
> Hello all,
>
> I've been working to get Repro to connect to LCS using
various setups,
> but using any kind of TLS/secure connection causes it
to fail. I'm
> guessing this is because Microsoft is using a custom
form of TLS it
> calls MTLS. Does anyone know if OpenSSL supports MTLS?
Or is it a
> custom implementation?
>
> I've tried but have been unable to find ANY useful
information on
MTLS.
>
> Thanks,
> Kenny.
> _______________________________________________
> repro-devel mailing list
> repro-devellist.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/repro-devel
_______________________________________________
repro-devel mailing list
repro-devellist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/repro-devel
_______________________________________________
repro-devel mailing list
repro-devellist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/repro-devel
|
|
| MTLS |
|
2006-05-28 14:45:33 |
I could be wrong but my understanding was that only really
old
versions of LCS had the SSLv23 problem and that newer stuff
did take
TLSv1. The MTLS just stands for "Mutual TLS"
meaning that both ends
need to present their certificate.
I would very much like to have Repro working with LCS and I
think it
should be possible (though there may be some bugs we need to
fix). I
find http://www.rtfm.com/ssld
ump/ useful for debugging this stuff.
Thanks for working on this, and if you do get it to work,
please
please write up some doc on it. The doc does not have to be
perfect,
anything that gave people some hints would be better than
nothing.
On May 25, 2006, at 9:59 AM, Kenny Goers wrote:
>
> Also, I had no success working with LCS and the SSLv23,
it fails
> immediately where the TLSv1 gets me further along.
>
> Kenny.
>
> -----Original Message-----
> From: repro-devel-bounceslist.sipfoundry.org
> [mailto:repro-devel-bounceslist.sipfoundry.org] On
Behalf Of Kenny
> Goers
> Sent: Thursday, May 25, 2006 11:51 AM
> To: Scott Godin; repro-devellist.sipfoundry.org
> Subject: RE: [repro-devel] MTLS
>
>
> I've been working this issue with Live Communication
Server.
>
> I have had the current version of Repro connected with
TLS between two
> servers, I will chime in on this later today, I'm just
to buried to
> write it up at the moment, but I also plan on writing a
document on
> this
> add adding it to the documentation.
>
> I have had some success with LCS and outbound
connections (Repro-
> >LCS),
> which seems to work OK, but I haven't completed this
step do to
> certificate requirements for LCS. But the
LCS->Repro connection
> completely fails in the OpenSSL layer, and I haven't
determined why.
>
> Kenny.
>
> -----Original Message-----
> From: Scott Godin [mailto:slgodinicescape.com]
> Sent: Thursday, May 25, 2006 10:47 AM
> To: Kenny Goers; repro-devellist.sipfoundry.org
> Subject: RE: [repro-devel] MTLS
>
> To connect to LCS with TLS the addTransport call must
specify a
> security
> type of SSLv23. Since repro does not specify this
argument (it
> uses the
> default of TLSv1) - it will not work as is. You must
modify the
> addTransport code in repro.cxx in order to get this to
work.
> Note: We
> should add a command line switch for this.
>
> As for MTLS - this simply means that the both client
and server
> ends of
> the TLS connection perform certificate and domain name
validation.
> Repro does not perform MTLS connection checks (it does
client side
> checks only), but it can be used with systems that do -
since it will
> provide its certificate to the far end, if/when
requested.
>
> Scott
>
>> -----Original Message-----
>> From: repro-devel-bounceslist.sipfoundry.org
[mailto:repro-devel-
>> bounceslist.sipfoundry.org] On Behalf Of Kenny
Goers
>> Sent: Wednesday, May 24, 2006 9:50 AM
>> To: repro-devellist.sipfoundry.org
>> Subject: [repro-devel] MTLS
>>
>>
>> Hello all,
>>
>> I've been working to get Repro to connect to LCS
using various
>> setups,
>> but using any kind of TLS/secure connection causes
it to fail. I'm
>> guessing this is because Microsoft is using a
custom form of TLS it
>> calls MTLS. Does anyone know if OpenSSL supports
MTLS? Or is it a
>> custom implementation?
>>
>> I've tried but have been unable to find ANY useful
information on
> MTLS.
>>
>> Thanks,
>> Kenny.
>> _______________________________________________
>> repro-devel mailing list
>> repro-devellist.sipfoundry.org
>> https://list.sipfoundry.org/mailman/listinfo/repro-devel
> _______________________________________________
> repro-devel mailing list
> repro-devellist.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/repro-devel
> _______________________________________________
> repro-devel mailing list
> repro-devellist.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/repro-devel
_______________________________________________
repro-devel mailing list
repro-devellist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/repro-devel
|
|
| MTLS |
|
2006-05-29 14:23:42 |
When forming connections from resip to LCS using TLSv1 is
fine - but for
some reason, when forming connections in the opposite
direction (ie. LCS
to resip) - if you don't use the SSLv23 SSL context, then
you get a
SSL2_GET_RECORD:wrong version number error in resip. I
don't really
understand why though, since the Client Hello message from
LCS has
version 0x301 (TLSv1) in it.
Note: Also - I am in the process of changing the domain
name
verification code in resip - so that it will be able to
match the domain
name to certificates with multiple subjectAltName fields.
Currently if
there are multiple subjectAltName entries, it will only try
to match on
the last one present in the certificate.
Scott
> -----Original Message-----
> From: Cullen Jennings [mailto:fluffycisco.com]
> Sent: Sunday, May 28, 2006 10:46 AM
> To: Kenny Goers
> Cc: Scott Godin; repro-devellist.sipfoundry.org
> Subject: Re: [repro-devel] MTLS
>
>
> I could be wrong but my understanding was that only
really old
> versions of LCS had the SSLv23 problem and that newer
stuff did take
> TLSv1. The MTLS just stands for "Mutual
TLS" meaning that both ends
> need to present their certificate.
>
> I would very much like to have Repro working with LCS
and I think it
> should be possible (though there may be some bugs we
need to fix). I
> find http://www.rtfm.com/ssld
ump/ useful for debugging this stuff.
>
> Thanks for working on this, and if you do get it to
work, please
> please write up some doc on it. The doc does not have
to be perfect,
> anything that gave people some hints would be better
than nothing.
>
>
> On May 25, 2006, at 9:59 AM, Kenny Goers wrote:
>
> >
> > Also, I had no success working with LCS and the
SSLv23, it fails
> > immediately where the TLSv1 gets me further along.
> >
> > Kenny.
> >
> > -----Original Message-----
> > From: repro-devel-bounceslist.sipfoundry.org
> > [mailto:repro-devel-bounceslist.sipfoundry.org] On
Behalf Of Kenny
> > Goers
> > Sent: Thursday, May 25, 2006 11:51 AM
> > To: Scott Godin; repro-devellist.sipfoundry.org
> > Subject: RE: [repro-devel] MTLS
> >
> >
> > I've been working this issue with Live
Communication Server.
> >
> > I have had the current version of Repro connected
with TLS between
two
> > servers, I will chime in on this later today, I'm
just to buried to
> > write it up at the moment, but I also plan on
writing a document on
> > this
> > add adding it to the documentation.
> >
> > I have had some success with LCS and outbound
connections (Repro-
> > >LCS),
> > which seems to work OK, but I haven't completed
this step do to
> > certificate requirements for LCS. But the
LCS->Repro connection
> > completely fails in the OpenSSL layer, and I
haven't determined why.
> >
> > Kenny.
> >
> > -----Original Message-----
> > From: Scott Godin [mailto:slgodinicescape.com]
> > Sent: Thursday, May 25, 2006 10:47 AM
> > To: Kenny Goers; repro-devellist.sipfoundry.org
> > Subject: RE: [repro-devel] MTLS
> >
> > To connect to LCS with TLS the addTransport call
must specify a
> > security
> > type of SSLv23. Since repro does not specify this
argument (it
> > uses the
> > default of TLSv1) - it will not work as is. You
must modify the
> > addTransport code in repro.cxx in order to get
this to work.
> > Note: We
> > should add a command line switch for this.
> >
> > As for MTLS - this simply means that the both
client and server
> > ends of
> > the TLS connection perform certificate and domain
name validation.
> > Repro does not perform MTLS connection checks (it
does client side
> > checks only), but it can be used with systems that
do - since it
will
> > provide its certificate to the far end, if/when
requested.
> >
> > Scott
> >
> >> -----Original Message-----
> >> From: repro-devel-bounceslist.sipfoundry.org [mailto:repro-devel-
> >> bounceslist.sipfoundry.org] On Behalf Of Kenny
Goers
> >> Sent: Wednesday, May 24, 2006 9:50 AM
> >> To: repro-devellist.sipfoundry.org
> >> Subject: [repro-devel] MTLS
> >>
> >>
> >> Hello all,
> >>
> >> I've been working to get Repro to connect to
LCS using various
> >> setups,
> >> but using any kind of TLS/secure connection
causes it to fail. I'm
> >> guessing this is because Microsoft is using a
custom form of TLS it
> >> calls MTLS. Does anyone know if OpenSSL
supports MTLS? Or is it a
> >> custom implementation?
> >>
> >> I've tried but have been unable to find ANY
useful information on
> > MTLS.
> >>
> >> Thanks,
> >> Kenny.
> >>
_______________________________________________
> >> repro-devel mailing list
> >> repro-devellist.sipfoundry.org
> >> https://list.sipfoundry.org/mailman/listinfo/repro-devel
> > _______________________________________________
> > repro-devel mailing list
> > repro-devellist.sipfoundry.org
> > https://list.sipfoundry.org/mailman/listinfo/repro-devel
> > _______________________________________________
> > repro-devel mailing list
> > repro-devellist.sipfoundry.org
> > https://list.sipfoundry.org/mailman/listinfo/repro-devel
_______________________________________________
repro-devel mailing list
repro-devellist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/repro-devel
|
|
| MTLS |
|
2006-05-29 14:44:56 |
On May 29, 2006, at 7:23 AM, Scott Godin wrote:
> Currently if
> there are multiple subjectAltName entries, it will only
try to
> match on
> the last one present in the certificate.
Excellent change - thank you.
_______________________________________________
repro-devel mailing list
repro-devellist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/repro-devel
|
|
[1-4]
|
|