#1 You should compile opensips with TLS=1. You can create those certificates with openssl and use some cipher with Diffie–Hellman so that will and configure the corresponding "tls_dh_params" setting in opensips config in order to use PFS. opensips provides some easy commands to create certificates with *opensipsctl tls <option> *where option is either rootCA | userCERT. it uses <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for the different type of certificates.
Here are the settings related to tls, excerpted from the source code disable_tls tlslog | tls_log tls_port_no tls_method tls_verify_client tls_verify_server tls_require_client_certificate tls_certificate tls_private_key tls_ca_list tls_ca_dir tls_dh_params tls_ec_curve tls_ciphers_list tls_handshake_timeout tls_send_timeout tls_server_domain tls_client_domain tls_client_domain_avp On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <[email protected]> wrote: > Hi, > > in opensips.cfg there is a section after the "disable_tls" option where > some certificates and keys need to be configured which do not exist by > default: > > tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem > tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem > tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem > > My question: how can I create these data correctly in order to have TLS > connection to server? And is there a possibility to use perfect forward > secrecy? > > Thanks! > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
