<div dir="ltr"><div>Hm, I'm not sure if I understand this. When I set "disable_tls=no" in configuration file, OpenSIPS complains about a missing file<br><br>ERROR:core:load_private_key: unable to load private key file '/usr/local//etc/opensips/tls/cert.pem<br><br></div>But "opensipsctl cootCA" does not create this file and "opensips userCERT" requires a username that also does not correspond to this file.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-02-22 13:00 GMT+01:00 Podrigal, Aron <span dir="ltr"><<a href="mailto:aronp@guaranteedplus.com" target="_blank">aronp@guaranteedplus.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>#1 You should compile opensips with TLS=1.</div><div><br></div><div>You can create those certificates with openssl and use some cipher with Diffie–Hellman so that will and configure the corresponding "tls_dh_params" setting in opensips config in order to use PFS.</div><div>opensips provides some easy commands to create certificates with <b>opensipsctl tls <option> </b>where option is either <font face="monospace, monospace">rootCA | userCERT. it uses <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for the different type of certificates. </font></div><div><br></div><div>Here are the settings related to tls, excerpted from the source code</div><div><br></div><div>disable_tls</div><div>tlslog | tls_log</div><div>tls_port_no</div><div>tls_method</div><div>tls_verify_client</div><div>tls_verify_server</div><div>tls_require_client_certificate</div><div>tls_certificate</div><div>tls_private_key</div><div>tls_ca_list</div><div>tls_ca_dir</div><div>tls_dh_params</div><div>tls_ec_curve</div><div>tls_ciphers_list</div><div>tls_handshake_timeout</div><div>tls_send_timeout</div><div>tls_server_domain</div><div>tls_client_domain</div><div>tls_client_domain_avp</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <span dir="ltr"><<a href="mailto:karlkarpfen79@gmail.com" target="_blank">karlkarpfen79@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div class="gmail_extra">Hi,</div><div class="gmail_extra"><br></div><div class="gmail_extra">in opensips.cfg there is a section after the "disable_tls" option where some certificates and keys need to be configured which do not exist by default:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem</div><div class="gmail_extra">tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem</div><div class="gmail_extra">tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem</div><div><br></div><div>My question: how can I create these data correctly in order to have TLS connection to server? And is there a possibility to use perfect forward secrecy?</div><div><br></div><div>Thanks!</div><div><br></div></div></div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>