[OpenSIPS-Users] TLS certificate reloading

Callum Guy callum.guy at x-on.co.uk
Wed Apr 14 10:44:17 EST 2021 

Hi All,

I recently encountered an issue where our certificates were renewed,
following which I issued: *opensips-cli -x mi tls_reload*

The CLI action indicated success however on closer inspection of the
handshake we could see the previous certificate was continuing to be
presented. Previously I have had success with the reload operation. In this
situation only a full restart resolved the issue and loaded the
updated certificates.

We are storing certificates in the database and only use domain default
with a type 1 and type 2 record, both using the same certificate.

The following global params are set:

tcp_connection_lifetime=720
tcp_connect_timeout=200

We also use extremely long module timeout settings to deal with an
outrageously slow peer (slow on first connect):

modparam("tls_mgm", "tls_send_timeout", 2000)
modparam("tls_mgm", "tls_handshake_timeout", 2000)

Is tls_reload expected to work under all conditions or is there something
else we need to do (i.e. tear down existing connections)? All log messages
indicated success and as we are using lets encrypt certs the subject/issuer
remained the same so only a packet capture revealed the actual serial
number of the cert - as an aside it would be useful to have the SN reported
in the reload operation.

Thanks,

Callum

-- 





*0333 332 0000  |  x-on.co.uk <https://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> **  |  Coronavirus 
<https://www.x-on.co.uk/service/surgery-connect/coronavirus.htm>**  |  
Practice Index Reviews <https://practiceindex.co.uk/gp/x-on>*


THE ITSPA 
AWARDS 2020 <http://www.itspa.org.uk/itspa-awards> AND Best ITSP - Mid 
Market, Best Software and Best Vertical Solution are trade marks of the 
Internet Telephony Services Providers' Association, used under licence.

*Our new office address: 22 Riduna Park, Melton IP12 1QT.*

X-on
is a 
trading name of Storacall Technology Ltd a limited company registered in
England and Wales.

Registered Office : Avaland House, 110 London Road, 
Apsley, Hemel Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.

The information in this e-mail is confidential and for use by the 
addressee(s)
only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your 
computer. If you are not a named addressee you must not use,
disclose, 
disseminate, distribute, copy, print or reply to this email. Views
or 
opinions expressed by an individual
within this email may not necessarily
reflect the views of X-on or its associated companies. Although X-on 
routinely
screens for viruses, addressees should scan this email and any 
attachments
for
viruses. X-on makes no representation or warranty as to the 
absence of viruses
in this email or any attachments.










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20210414/fd110f6b/attachment-0001.html>

More information about the Users mailing list