development:tls-requirements

TLS requirements

This site is for discussion of requirements for a new TLS implementation for openser (vs. the one inside openser 1.0, 1.1, 1.2 and 1.3).

non-blocking (TLS handshake and other activities must not block openser)

TLS reload. Reloading the TLS configuration while openser is running (e.g for loading new certificates, changing CAs, loading new certificate revocation lists). Must not block openser. Current TLS connections must be keep alive. Adding new virtual TLS domains would also require to add new TCP sockets during TLS reload without restarting openser. This will b another important feature: openser reload (reload the config without restarting, current transactions will keep the old routing config while new transactionsw ill be routed according to the new config, like “asterisk reload”).

TLS shutdown. Manually shutdown TTLS connections. Maybe one command to shut down all connections, one command to shut down all incoming/outgoing connections. E.g. this can be used after “tls reload” to force the new TLS configuration.

Marking TCP/TLS connection in openser.cfg.

  if (proto==TLS) and (from==myself) {
    setTcpFlag(3);
  }

Setting a flag for certain TLS connections - e.g. to differ between TLS connections from SIP clients (local users) and from Proxy-Proxy TLS connections. Then TLS shutdown for example can be used to shut down all proxy-proxy TLS connections, or all Client-Proxy connections. “openserctl tls shutdown tcpflag 3”

connection reuse/no connection reuse when connection to some socket but other domain (see SIP outbound draft )

certificate revocation lists. “openserctl tls reload crl”

flexible configuration framework: outside openser.cfg, e.g. a dedicated text file
1. allow specification of TLS domains (CA+key+cert)
2. assign these TLS domains (with specification of validation requirement, cipher, TLS version. compression: yes/no, ) to
  - local sockets (incoming)
  - remote sockets (outgoing)
  - string, for name based TLS-client domains (outgoing)

nice2have: TLS extensions: Server Name Indication+Trusted CA Indication on both, the server and client side.

Maybe hardware support (openssl crypto engine support)?

Review the TLS configuration of other applications to do not miss something important (e.g. http://httpd.apache.org/docs/2.2/mod/mod_ssl.html)