<div dir="ltr"><div>#1 You should compile opensips with TLS=1.</div><div><br></div><div>You can create those certificates with openssl and use some cipher with Diffie–Hellman so that will and configure the corresponding "tls_dh_params" setting in opensips config in order to use PFS.</div><div>opensips provides some easy commands to create certificates with <b>opensipsctl tls <option> </b>where option is either <font face="monospace, monospace">rootCA | userCERT. it uses <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for the different type of certificates. </font></div><div><br></div><div>Here are the settings related to tls, excerpted from the source code</div><div><br></div><div>disable_tls</div><div>tlslog | tls_log</div><div>tls_port_no</div><div>tls_method</div><div>tls_verify_client</div><div>tls_verify_server</div><div>tls_require_client_certificate</div><div>tls_certificate</div><div>tls_private_key</div><div>tls_ca_list</div><div>tls_ca_dir</div><div>tls_dh_params</div><div>tls_ec_curve</div><div>tls_ciphers_list</div><div>tls_handshake_timeout</div><div>tls_send_timeout</div><div>tls_server_domain</div><div>tls_client_domain</div><div>tls_client_domain_avp</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <span dir="ltr"><<a href="mailto:karlkarpfen79@gmail.com" target="_blank">karlkarpfen79@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">Hi,</div><div class="gmail_extra"><br></div><div class="gmail_extra">in opensips.cfg there is a section after the "disable_tls" option where some certificates and keys need to be configured which do not exist by default:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem</div><div class="gmail_extra">tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem</div><div class="gmail_extra">tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem</div><div><br></div><div>My question: how can I create these data correctly in order to have TLS connection to server? And is there a possibility to use perfect forward secrecy?</div><div><br></div><div>Thanks!</div><div><br></div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div>