[OpenSIPS-Devel] TLS settings

Dan Pascu dan at ag-projects.com
Fri May 10 08:32:23 EDT 2019 

On 10 May 2019, at 14:14, Vlad Patrascu wrote:

> Hi Dan,
> 
> Those settings are not unified, but what version are you referring to?

In 1.11 I had these:

tls_verify_server
tls_verify_client
tls_require_client_certificate

Now in 3.0 (but this was added since 2.1) I have (per domain):
verify_cert
require_cert

and the documentation for the tls_mgm module for the verify_cert and require_cert states that:

"""
Since version 2.1, these parameters act have been reduced to only one. They act both on client side and server side if no domain specified, elseway they act on a specific domain, depending on the first parameter.
"""

This is from the 2.4 documentation, but now I noticed that the documentation from 3.x has changed again and now it states that:

"""
Since version 2.1, these parameters act have been reduced to only one. The domain part represents the name of the TLS domain.

These two parameters are used for incoming TLS connections, where OpenSIPS acts as server.
"""

Which makes it even more confusing. So can you please clarify this and indicate where do they apply to?

What I wan is to have a setup where I do not require SIP clients to have certificates, but I require them in proxy-to-proxy connections.

> 
> Vlad Patrascu
> OpenSIPS Developer
> http://www.opensips-solutions.com
> 
> On 05/10/2019 01:40 PM, Dan Pascu wrote:
>> In the past (version 1.11) the tls settings for clients and servers were separated. I used to have verify=1 and require=1 for server and verify=1 and require=0 for clients. This way I would not allow a connection to a server that didn't present a valid certificate, but I would allow a client to connect to opensips over tls without having to have a certificate, yet I would still verify it if one was presented.
>> 
>> Now that client and server settings are unified, how can the above scenario be implemented in order to allow user agent to connect over tls without having to have a certificate, while still requiring certificates between proxy connections?
>> 
>> --
>> Dan
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Devel mailing list
>> Devel at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
> 
> 
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel


--
Dan

More information about the Devel mailing list