Home Explore Help
Sign In
Kamailio
/
kamailio
mirror of https://github.com/kamailio/kamailio.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

tls: updated readme with missing parameters

Daniel-Constantin Mierla 13 years ago
parent
652f08a52f
commit
30266d27e3
2 changed files with 105 additions and 7 deletions
Unified View Show Diff Stats
  1. 48 7
      modules/tls/README
  2. 57 0
      modules/tls/doc/params.xml

+ 48 - 7
modules/tls/README
View File 

@@ -4,7 +4,7 @@ Andrei Pelinescu-Onciul
 
 
 
    iptelorg GmbH
 
    iptelorg GmbH
 
 
 
-   Copyright © 2007 iptelorg GmbH
 
+   Copyright © 2007 iptelorg GmbH
 
      __________________________________________________________________
 
      __________________________________________________________________
 
 
 
    1.1. Overview
 
    1.1. Overview
 
@@ -43,7 +43,10 @@ Andrei Pelinescu-Onciul
 
         1.9.24. low_mem_threshold1 (integer)
 
         1.9.24. low_mem_threshold1 (integer)
 
         1.9.25. low_mem_threshold2 (integer)
 
         1.9.25. low_mem_threshold2 (integer)
 
         1.9.26. tls_force_run (boolean)
 
         1.9.26. tls_force_run (boolean)
 
-        1.9.27. config (string)
 
+        1.9.27. session_cache (boolean)
 
+        1.9.28. session_id (str)
 
+        1.9.29. renegotiation (boolean)
 
+        1.9.30. config (string)
 
 
 
    1.10. Functions
 
    1.10. Functions
 
 
 
@@ -883,7 +886,45 @@ modparam("tls", "low_mem_threshold2", -1)
 
 modparam("tls", "tls_force_run", 11)
 
 modparam("tls", "tls_force_run", 11)
 
 ...
 
 ...
 
 
 
-1.9.27. config (string)
 
+1.9.27. session_cache (boolean)
 
+
 
+   If enabled SIP server will do caching of the TLS sessions data,
 
+   generation a session_id and sending it back to client.
 
+
 
+   By default TLS session caching is disabled (0).
 
+
 
+   Example 36. Set session_cache parameter
 
+...
 
+modparam("tls", "session_cache", 1)
 
+...
 
+
 
+1.9.28. session_id (str)
 
+
 
+   The value for session ID context, making sense when session caching is
 
+   enabled.
 
+
 
+   By default TLS session_id is "sip-router-tls-3.1".
 
+
 
+   Example 37. Set session_id parameter
 
+...
 
+modparam("tls", "session_id", "my-session-id-context")
 
+...
 
+
 
+1.9.29. renegotiation (boolean)
 
+
 
+   If enabled SIP server will allow renegotiations of TLS connection
 
+   initiated by the client. This may expose to a security risk if the
 
+   client is not a trusted peer and keeps renegotiating, consuming CPU and
 
+   bandwidth resources.
 
+
 
+   By default TLS renegotiation is disabled (0).
 
+
 
+   Example 38. Set renegotiation parameter
 
+...
 
+modparam("tls", "renegotiation", 1)
 
+...
 
+
 
+1.9.30. config (string)
 
 
 
    Sets the name of the TLS specific config file.
 
    Sets the name of the TLS specific config file.
 
 
 
@@ -922,7 +963,7 @@ modparam("tls", "tls_force_run", 11)
 
    client when it initiates a new connection by itself (it connects to
 
    client when it initiates a new connection by itself (it connects to
 
    something).
 
    something).
 
 
 
-   Example 36. Short config file
 
+   Example 39. Short config file
 
 [server:default]
 
 [server:default]
 
 method = TLSv1
 
 method = TLSv1
 
 verify_certificate = yes
 
 verify_certificate = yes
 
@@ -949,7 +990,7 @@ ca_list = local_ca.pem
 
    For a more complete example check the tls.cfg distributed with the
 
    For a more complete example check the tls.cfg distributed with the
 
    SIP-router source (sip_router/modules/tls/tls.cfg).
 
    SIP-router source (sip_router/modules/tls/tls.cfg).
 
 
 
-   Example 37. Set config parameter
 
+   Example 40. Set config parameter
 
 ...
 
 ...
 
 modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
 
 modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
 
 ...
 
 ...
 
@@ -957,7 +998,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
 
    It can be changed also at runtime. The new config will not be loaded
 
    It can be changed also at runtime. The new config will not be loaded
 
    immediately, but after the first tls.reload RPC call.
 
    immediately, but after the first tls.reload RPC call.
 
 
 
-   Example 38. Change and reload tls config at runtime
 
+   Example 41. Change and reload tls config at runtime
 
  $ sercmd cfg.set_now_string tls config "/usr/local/etc/ser/new_tls.cfg"
 
  $ sercmd cfg.set_now_string tls config "/usr/local/etc/ser/new_tls.cfg"
 
  $ sercmd tls.reload
 
  $ sercmd tls.reload
 
 
 
@@ -969,7 +1010,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
 
    , the peer presented an X509 certificate and the certificate chain
 
    , the peer presented an X509 certificate and the certificate chain
 
    verified ok. It can be used only in a request route.
 
    verified ok. It can be used only in a request route.
 
 
 
-   Example 39. is_peer_verified usage
 
+   Example 42. is_peer_verified usage
 
         if (proto==TLS && !is_peer_verified()){
 
         if (proto==TLS && !is_peer_verified()){
 
                 sl_send_reply("400", "No certificate or verification failed");
 
                 sl_send_reply("400", "No certificate or verification failed");
 
                 drop;
 
                 drop;

+ 57 - 0
modules/tls/doc/params.xml
View File 

@@ -855,6 +855,63 @@ modparam("tls", "tls_force_run", 11)
 
 	</example>
 
 	</example>
 
 	</section>
 
 	</section>
 
 
 
+	<section id="session_cache">
 
+	<title><varname>session_cache</varname> (boolean)</title>
 
+	<para>
 
+		If enabled SIP server will do caching of the TLS sessions data, generation a session_id and sending
 
+		it back to client.
 
+	</para>
 
+	<para>
 
+		By default TLS session caching is disabled (0).
 
+	</para>
 
+	<example>
 
+		<title>Set <varname>session_cache</varname> parameter</title>
 
+		<programlisting>
 
+...
 
+modparam("tls", "session_cache", 1)
 
+...
 
+	</programlisting>
 
+	</example>
 
+	</section>
 
+
 
+	<section id="session_id">
 
+	<title><varname>session_id</varname> (str)</title>
 
+	<para>
 
+		The value for session ID context, making sense when session caching is enabled.
 
+	</para>
 
+	<para>
 
+		By default TLS session_id is "sip-router-tls-3.1".
 
+	</para>
 
+	<example>
 
+		<title>Set <varname>session_id</varname> parameter</title>
 
+		<programlisting>
 
+...
 
+modparam("tls", "session_id", "my-session-id-context")
 
+...
 
+	</programlisting>
 
+	</example>
 
+	</section>
 
+
 
+	<section id="renegotiation">
 
+	<title><varname>renegotiation</varname> (boolean)</title>
 
+	<para>
 
+		If enabled SIP server will allow renegotiations of TLS connection initiated by the client. This may
 
+		expose to a security risk if the client is not a trusted peer and keeps renegotiating, consuming CPU
 
+		and bandwidth resources.
 
+	</para>
 
+	<para>
 
+		By default TLS renegotiation is disabled (0).
 
+	</para>
 
+	<example>
 
+		<title>Set <varname>renegotiation</varname> parameter</title>
 
+		<programlisting>
 
+...
 
+modparam("tls", "renegotiation", 1)
 
+...
 
+	</programlisting>
 
+	</example>
 
+	</section>
 
+
 
 	<section id="config">
 
 	<section id="config">
 
 	<title><varname>config</varname> (string)</title>
 
 	<title><varname>config</varname> (string)</title>
 
 	<para>
 
 	<para>