Works - thanks! 2015-02-23 21:54 GMT+01:00 Podrigal, Aron <[email protected]>:
> create the certificates and set the params to match that. > > eg. > tls_certificate = "/usr/local/etc/opensips/tls/rootCA/cacert.pem" > tls_private_key = "/usr/local/etc/opensips/tls/rootCA/private/cakey.pem" > tls_ca_list = "/usr/local/etc/opensips/tls/rootCA/cacert.pem" > > > On Mon, Feb 23, 2015 at 11:45 AM, Karl Karpfen <[email protected]> > wrote: > >> Hm, I'm not sure if I understand this. When I set "disable_tls=no" in >> configuration file, OpenSIPS complains about a missing file >> >> ERROR:core:load_private_key: unable to load private key file >> '/usr/local//etc/opensips/tls/cert.pem >> >> But "opensipsctl cootCA" does not create this file and "opensips >> userCERT" requires a username that also does not correspond to this file. >> >> 2015-02-22 13:00 GMT+01:00 Podrigal, Aron <[email protected]>: >> >>> #1 You should compile opensips with TLS=1. >>> >>> You can create those certificates with openssl and use some cipher >>> with Diffie–Hellman so that will and configure the corresponding >>> "tls_dh_params" setting in opensips config in order to use PFS. >>> opensips provides some easy commands to create certificates with >>> *opensipsctl >>> tls <option> *where option is either rootCA | userCERT. it uses >>> <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for >>> the different type of certificates. >>> >>> Here are the settings related to tls, excerpted from the source code >>> >>> disable_tls >>> tlslog | tls_log >>> tls_port_no >>> tls_method >>> tls_verify_client >>> tls_verify_server >>> tls_require_client_certificate >>> tls_certificate >>> tls_private_key >>> tls_ca_list >>> tls_ca_dir >>> tls_dh_params >>> tls_ec_curve >>> tls_ciphers_list >>> tls_handshake_timeout >>> tls_send_timeout >>> tls_server_domain >>> tls_client_domain >>> tls_client_domain_avp >>> >>> >>> On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> in opensips.cfg there is a section after the "disable_tls" option where >>>> some certificates and keys need to be configured which do not exist by >>>> default: >>>> >>>> tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem >>>> tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem >>>> tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem >>>> >>>> My question: how can I create these data correctly in order to have TLS >>>> connection to server? And is there a possibility to use perfect forward >>>> secrecy? >>>> >>>> Thanks! >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>> >>>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >>> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
