[OpenSIPS-Users] How to create certificates for TLS?

Karl Karpfen karlkarpfen79 at gmail.com
Mon Feb 23 17:45:03 CET 2015


Hm, I'm not sure if I understand this. When I set "disable_tls=no" in
configuration file, OpenSIPS complains about a missing file

ERROR:core:load_private_key: unable to load private key file
'/usr/local//etc/opensips/tls/cert.pem

But "opensipsctl cootCA" does not create this file and "opensips userCERT"
requires a username that also does not correspond to this file.

2015-02-22 13:00 GMT+01:00 Podrigal, Aron <aronp at guaranteedplus.com>:

> #1 You should compile opensips with TLS=1.
>
> You can create those certificates with openssl and use some cipher
> with Diffie–Hellman so that will and configure the corresponding
> "tls_dh_params" setting in opensips config in order to use PFS.
> opensips provides some easy commands to create certificates with *opensipsctl
> tls <option> *where option is either rootCA | userCERT. it uses
> <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for
> the different type of certificates.
>
> Here are the settings related to tls, excerpted from the source code
>
> disable_tls
> tlslog | tls_log
> tls_port_no
> tls_method
> tls_verify_client
> tls_verify_server
> tls_require_client_certificate
> tls_certificate
> tls_private_key
> tls_ca_list
> tls_ca_dir
> tls_dh_params
> tls_ec_curve
> tls_ciphers_list
> tls_handshake_timeout
> tls_send_timeout
> tls_server_domain
> tls_client_domain
> tls_client_domain_avp
>
>
> On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <karlkarpfen79 at gmail.com>
> wrote:
>
>> Hi,
>>
>> in opensips.cfg there is a section after the "disable_tls" option where
>> some certificates and keys need to be configured which do not exist by
>> default:
>>
>> tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem
>> tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem
>> tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem
>>
>> My question: how can I create these data correctly in order to have TLS
>> connection to server? And is there a possibility to use perfect forward
>> secrecy?
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150223/eb3e2649/attachment.htm>


More information about the Users mailing list