[OpenSIPS-Users] How to create certificates for TLS?

Karl Karpfen karlkarpfen79 at gmail.com
Tue Feb 24 18:06:38 CET 2015


Works - thanks!

2015-02-23 21:54 GMT+01:00 Podrigal, Aron <aronp at guaranteedplus.com>:

> create the certificates and set the params to match that.
>
> eg.
> tls_certificate = "/usr/local/etc/opensips/tls/rootCA/cacert.pem"
> tls_private_key = "/usr/local/etc/opensips/tls/rootCA/private/cakey.pem"
> tls_ca_list = "/usr/local/etc/opensips/tls/rootCA/cacert.pem"
>
>
> On Mon, Feb 23, 2015 at 11:45 AM, Karl Karpfen <karlkarpfen79 at gmail.com>
> wrote:
>
>> Hm, I'm not sure if I understand this. When I set "disable_tls=no" in
>> configuration file, OpenSIPS complains about a missing file
>>
>> ERROR:core:load_private_key: unable to load private key file
>> '/usr/local//etc/opensips/tls/cert.pem
>>
>> But "opensipsctl cootCA" does not create this file and "opensips
>> userCERT" requires a username that also does not correspond to this file.
>>
>> 2015-02-22 13:00 GMT+01:00 Podrigal, Aron <aronp at guaranteedplus.com>:
>>
>>> #1 You should compile opensips with TLS=1.
>>>
>>> You can create those certificates with openssl and use some cipher
>>> with Diffie–Hellman so that will and configure the corresponding
>>> "tls_dh_params" setting in opensips config in order to use PFS.
>>> opensips provides some easy commands to create certificates with *opensipsctl
>>> tls <option> *where option is either rootCA | userCERT. it uses
>>> <install-dir>/etc/tls/ca.conf and <user>.conf and request.conf for
>>> the different type of certificates.
>>>
>>> Here are the settings related to tls, excerpted from the source code
>>>
>>> disable_tls
>>> tlslog | tls_log
>>> tls_port_no
>>> tls_method
>>> tls_verify_client
>>> tls_verify_server
>>> tls_require_client_certificate
>>> tls_certificate
>>> tls_private_key
>>> tls_ca_list
>>> tls_ca_dir
>>> tls_dh_params
>>> tls_ec_curve
>>> tls_ciphers_list
>>> tls_handshake_timeout
>>> tls_send_timeout
>>> tls_server_domain
>>> tls_client_domain
>>> tls_client_domain_avp
>>>
>>>
>>> On Sat, Feb 21, 2015 at 11:25 AM, Karl Karpfen <karlkarpfen79 at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> in opensips.cfg there is a section after the "disable_tls" option where
>>>> some certificates and keys need to be configured which do not exist by
>>>> default:
>>>>
>>>> tls_certificate=/usr/local/etc/opensips/tls/user/user-cert.pem
>>>> tls_private_key=/usr/local/etc/opensips/tls/user/user-privkey.pem
>>>> tls_ca_list=/usr/local/etc/opensips/tls/user/user-calist.pem
>>>>
>>>> My question: how can I create these data correctly in order to have TLS
>>>> connection to server? And is there a possibility to use perfect forward
>>>> secrecy?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150224/b3a35cba/attachment.htm>


More information about the Users mailing list