|
@@ -62,10 +62,20 @@ modparam("tls", "tls_method", "TLSv1")
|
|
|
<section id="certificate">
|
|
<section id="certificate">
|
|
|
<title><varname>certificate</varname> (string)</title>
|
|
<title><varname>certificate</varname> (string)</title>
|
|
|
<para>
|
|
<para>
|
|
|
- Sets the certificate file name. The certificate file can also contain the private key in PEM format.
|
|
|
|
|
|
|
+ Sets the certificate file name. The certificate file can also contain
|
|
|
|
|
+ the private key in PEM format.
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
- <emphasis>Warning:</emphasis> try not to use certificate with keys longer then 1024 bytes. Longer keys will severely impact performance, in particular the TLS connection rate.
|
|
|
|
|
|
|
+ If the file name starts with a '.' the path will be relative to the
|
|
|
|
|
+ working directory (<emphasis>at runtime</emphasis>). If it starts
|
|
|
|
|
+ with a '/' it will be an absolute path and if it starts with anything
|
|
|
|
|
+ else the path will be relative to the main config file directory
|
|
|
|
|
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
|
|
|
|
|
+ </para>
|
|
|
|
|
+ <para>
|
|
|
|
|
+ <emphasis>Warning:</emphasis> try not to use certificate with keys
|
|
|
|
|
+ longer then 1024 bytes. Longer keys will severely impact performance,
|
|
|
|
|
+ in particular the TLS connection rate.
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
The default value is [SER_CFG_DIR]/cert.pem.
|
|
The default value is [SER_CFG_DIR]/cert.pem.
|
|
@@ -86,7 +96,16 @@ modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem")
|
|
|
Sets the private key file name.
|
|
Sets the private key file name.
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
- Note: the private key can be contained in the same file as the certificate (just append it to the certificate file, e.g.: cat pkey.pem >> cert.pem)
|
|
|
|
|
|
|
+ If the file name starts with a '.' the path will be relative to the
|
|
|
|
|
+ working directory (<emphasis>at runtime</emphasis>). If it starts
|
|
|
|
|
+ with a '/' it will be an absolute path and if it starts with anything
|
|
|
|
|
+ else the path will be relative to the main config file directory
|
|
|
|
|
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
|
|
|
|
|
+ </para>
|
|
|
|
|
+ <para>
|
|
|
|
|
+ Note: the private key can be contained in the same file as the
|
|
|
|
|
+ certificate (just append it to the certificate file, e.g.:
|
|
|
|
|
+ cat pkey.pem >> cert.pem)
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
The default value is [SER_CFG_DIR]/cert.pem.
|
|
The default value is [SER_CFG_DIR]/cert.pem.
|
|
@@ -104,13 +123,27 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
|
|
|
<section id="ca_list">
|
|
<section id="ca_list">
|
|
|
<title><varname>ca_list</varname> (string)</title>
|
|
<title><varname>ca_list</varname> (string)</title>
|
|
|
<para>
|
|
<para>
|
|
|
- Sets the CA list file name. This file contains a list of all the trusted CAs certificates. If a signature in a certificate chain belongs to one of the listed CAs, the authentication will succeed. See also <emphasis>verify_certificate</emphasis>, <emphasis>verify_depth</emphasis> and <emphasis>require_certificate</emphasis>.
|
|
|
|
|
|
|
+ Sets the CA list file name. This file contains a list of all the
|
|
|
|
|
+ trusted CAs certificates. If a signature in a certificate chain belongs
|
|
|
|
|
+ to one of the listed CAs, the authentication will succeed. See also
|
|
|
|
|
+ <emphasis>verify_certificate</emphasis>,
|
|
|
|
|
+ <emphasis>verify_depth</emphasis> and
|
|
|
|
|
+ <emphasis>require_certificate</emphasis>.
|
|
|
|
|
+ </para>
|
|
|
|
|
+ <para>
|
|
|
|
|
+ If the file name starts with a '.' the path will be relative to the
|
|
|
|
|
+ working directory (<emphasis>at runtime</emphasis>). If it starts
|
|
|
|
|
+ with a '/' it will be an absolute path and if it starts with anything
|
|
|
|
|
+ else the path will be relative to the main config file directory
|
|
|
|
|
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
By default the CA file is not set.
|
|
By default the CA file is not set.
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
- An easy way to create the CA list is to append each trusted trusted CA certificate in the PEM format to one file, e.g.: for f in trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
|
|
|
|
|
|
|
+ An easy way to create the CA list is to append each trusted trusted CA
|
|
|
|
|
+ certificate in the PEM format to one file, e.g.: for f in
|
|
|
|
|
+ trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
|
|
|
</para>
|
|
</para>
|
|
|
<example>
|
|
<example>
|
|
|
<title>Set <varname>ca_list</varname> parameter</title>
|
|
<title>Set <varname>ca_list</varname> parameter</title>
|
|
@@ -760,13 +793,24 @@ modparam("tls", "tls_force_run", 11)
|
|
|
Sets the name of the TLS specific config file.
|
|
Sets the name of the TLS specific config file.
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
- If set the TLS module will load a special config file, in which different TLS parameters can be specified on a per role (server or client) and domain basis (for now only IPs). The corresponding module parameters will be ignored.
|
|
|
|
|
|
|
+ If set the TLS module will load a special config file, in which
|
|
|
|
|
+ different TLS parameters can be specified on a per role (server or
|
|
|
|
|
+ client) and domain basis (for now only IPs). The corresponding module
|
|
|
|
|
+ parameters will be ignored.
|
|
|
|
|
+ </para>
|
|
|
|
|
+ <para>
|
|
|
|
|
+ If the file name starts with a '.' the path will be relative to the
|
|
|
|
|
+ working directory (<emphasis>at runtime</emphasis>). If it starts
|
|
|
|
|
+ with a '/' it will be an absolute path and if it starts with anything
|
|
|
|
|
+ else the path will be relative to the main config file directory
|
|
|
|
|
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
By default no config file is specified.
|
|
By default no config file is specified.
|
|
|
</para>
|
|
</para>
|
|
|
<para>
|
|
<para>
|
|
|
- The following parameters can be set in the config file, for each domain:
|
|
|
|
|
|
|
+ The following parameters can be set in the config file, for each
|
|
|
|
|
+ domain:
|
|
|
</para>
|
|
</para>
|
|
|
<itemizedlist>
|
|
<itemizedlist>
|
|
|
<listitem><para>tls_method</para></listitem>
|
|
<listitem><para>tls_method</para></listitem>
|
|
@@ -779,7 +823,16 @@ modparam("tls", "tls_force_run", 11)
|
|
|
<listitem><para>cipher_list</para></listitem>
|
|
<listitem><para>cipher_list</para></listitem>
|
|
|
</itemizedlist>
|
|
</itemizedlist>
|
|
|
<para>
|
|
<para>
|
|
|
- SIP-router acts as a server when it accepts a connection and as a client when it initiates a new connection by itself (it connects to something).
|
|
|
|
|
|
|
+ All the parameters that take filenames as values will be resolved
|
|
|
|
|
+ using the same rules as for the tls config filename itself: starting
|
|
|
|
|
+ with a '.' means relative to the working directory, a '/' means an
|
|
|
|
|
+ absolute path and anything else a path relative to the directory of
|
|
|
|
|
+ the current ser main config file.
|
|
|
|
|
+ </para>
|
|
|
|
|
+ <para>
|
|
|
|
|
+ SIP-router acts as a server when it accepts a connection and as a
|
|
|
|
|
+ client when it initiates a new connection by itself (it connects to
|
|
|
|
|
+ something).
|
|
|
</para>
|
|
</para>
|
|
|
<example>
|
|
<example>
|
|
|
<title>Short config file</title>
|
|
<title>Short config file</title>
|
Andrei Pelinescu-Onciul