[OpenSIPS-Users] How to create certificates for TLS?

Podrigal, Aron aronp at guaranteedplus.com
Sun Feb 22 13:00:05 CET 2015


#1 You should compile opensips with TLS=1.

You can create those certificates with openssl and use some cipher
with Diffie–Hellman so that will and configure the corresponding
"tls_dh_params" setting in opensips config in order to use PFS.
opensips provides some easy commands to create certificates with *opensipsctl
tls <option> *where option is either rootCA | userCERT. it uses
<install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for
the different type of certificates.

Here are the settings related to tls, excerpted from the source code

disable_tls
tlslog | tls_log
tls_port_no
tls_method
tls_verify_client
tls_verify_server
tls_require_client_certificate
tls_certificate
tls_private_key
tls_ca_list
tls_ca_dir
tls_dh_params
tls_ec_curve
tls_ciphers_list
tls_handshake_timeout
tls_send_timeout
tls_server_domain
tls_client_domain
tls_client_domain_avp


On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <karlkarpfen79 at gmail.com>
wrote:

> Hi,
>
> in opensips.cfg there is a section after the "disable_tls" option where
> some certificates and keys need to be configured which do not exist by
> default:
>
> tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem
> tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem
> tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem
>
> My question: how can I create these data correctly in order to have TLS
> connection to server? And is there a possibility to use perfect forward
> secrecy?
>
> Thanks!
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150222/60207271/attachment.htm>


More information about the Users mailing list