dexter has uploaded this change for review. (
https://gerrit.osmocom.org/c/pysim/+/41294?usp=email )
Change subject: osmo-smdpp: update documentation
......................................................................
osmo-smdpp: update documentation
osmo-smdpp has built-in SSL/TLS support for quite some time now. The manual
does not
yet mention this feature yet.
Change-Id: I2db5ae32914386a34eab1ed7d2aff8cae82bfa9b
---
M docs/osmo-smdpp.rst
1 file changed, 28 insertions(+), 12 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/94/41294/1
diff --git a/docs/osmo-smdpp.rst b/docs/osmo-smdpp.rst
index 3502003..dc32db7 100644
--- a/docs/osmo-smdpp.rst
+++ b/docs/osmo-smdpp.rst
@@ -40,16 +40,21 @@
Running osmo-smdpp
------------------
-osmo-smdpp does not have built-in TLS support as the used *twisted* framework
appears to have
-problems when using the example elliptic curve certificates (both NIST and
Brainpool) from GSMA.
+osmo-smdpp comes with built-in TLS support which is enabled by default.
However, it is always possible to
+disable the built-in TLS support if needed.
-So in order to use it, you have to put it behind a TLS reverse proxy, which
terminates the ES9+
-HTTPS from the LPA, and then forwards it as plain HTTP to osmo-smdpp.
+In order to use osmo-smdpp without the built-in TLS support, it has to be put
behind a TLS reverse proxy,
+which terminates the ES9+ HTTPS traffic from the LPA, and then forwards it as
plain HTTP to osmo-smdpp.
+
+NOTE: The built in TLS support in osmo-smdpp makes use of the python *twisted*
framework. Older versions
+of this framework appear to have problems when using the example elliptic
curve certificates (both NIST and
+Brainpool) from GSMA.
+
nginx as TLS proxy
~~~~~~~~~~~~~~~~~~
-If you use `nginx` as web server, you can use the following configuration
snippet::
+If you chose to use `nginx` as TLS reverse proxy, you can use the following
configuration snippet::
upstream smdpp {
server localhost:8000;
@@ -92,32 +97,43 @@
commandline options
~~~~~~~~~~~~~~~~~~~
-Typically, you just run it without any arguments, and it will bind its
plain-HTTP ES9+ interface to
-`localhost` TCP port 8000.
+Typically, you just run osmo-smdpp without any arguments, and it will bind its
built-in HTTPS ES9+ interface to
+`localhost` TCP port 443. In this case an external TLS reverse proxy is not
needed.
osmo-smdpp currently doesn't have any configuration file.
There are command line options for binding:
-Bind the HTTP ES9+ to a port other than 8000::
+Bind the HTTPS ES9+ to a port other than 443::
- ./osmo-smdpp.py -p 8001
+ ./osmo-smdpp.py -p 8443
+
+Disable the built-in TLS support and bind the plain-HTTP ES9+ to a port 8000::
+
+ ./osmo-smdpp.py -p 8000 --nossl
Bind the HTTP ES9+ to a different local interface::
- ./osmo-smdpp.py -H 127.0.0.1
+ ./osmo-smdpp.py -H 127.0.0.2
DNS setup for your LPA
~~~~~~~~~~~~~~~~~~~~~~
The LPA must resolve `testsmdpplus1.example.com` to the IP address of your TLS
proxy.
-It must also accept the TLS certificates used by your TLS proxy.
+It must also accept the TLS certificates used by your TLS proxy. In case
osmo-smdpp is used with built-in TLS support,
+it will use the certificates provided in smdpp-data.
+
+NOTE: The HTTPS ES9+ interface cannot be addressed by the LPA directly via its
IP address. The reason for this is that
+the included SGP.26 (DPtls) test certificates explicitly restrict the hostname
to `testsmdpplus1.example.com` in the
+`X509v3 Subject Alternative Name` extension. Using a bare IP address as
hostname may cause the certificate to be
+rejected by the LPA.
+
Supported eUICC
~~~~~~~~~~~~~~~
-If you run osmo-smdpp with the included SGP.26 certificates, you must use an
eUICC with matching SGP.26
+If you run osmo-smdpp with the included SGP.26 (DPauth, DPpb) certificates,
you must use an eUICC with matching SGP.26
certificates, i.e. the EUM certificate must be signed by a SGP.26 test root CA
and the eUICC certificate
in turn must be signed by that SGP.26 EUM certificate.
--
To view, visit https://gerrit.osmocom.org/c/pysim/+/41294?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: I2db5ae32914386a34eab1ed7d2aff8cae82bfa9b
Gerrit-Change-Number: 41294
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <[email protected]>
