If in older versions, enabling TLS means to recompile everything, with TLS=1 flag for Makefile, in Kamailio (OpenSER) 3.0.0 TLS implementation is provided by a module, named tls.
- no more two tarballs with sources of Kamailio
- no more two sets of packages with Kamailio binaries
- no more need to recompile everything every time when switching between no-TLS and TLS configs
- compilation of TLS support as simple as compilation of any other module: make modules modules=modules/tls
...
loadmodule "tls.so"
...
modparam("tls", "certificate", "/etc/kamailio/certificate.pem")
...
Coming as well with support for server name extension, another feature that worth to mention is the option for a dedicated config file for TLS parameters.
...
modparam("tls", "config", "etc/kamailio/tls.cfg")
...
Sample TLS config file:
Check the full list of available parameters for TLS module at:
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = kamailio_key.pem
certificate = kamailio_cert.pem
ca_list = kamailio_ca.pem
[client:default]
verify_certificate = yes
require_certificate = yes
[server:10.0.0.10:5061]
method = SSLv23
verify_certificate = yes
require_certificate = no
private_key = privatenet_key.pem
certificate = privatenet_cert.pem
verify_depth = 3
ca_list = privatenet_ca.pem
[client:10.0.0.11:5061]
verify_certificate = no
certificate = peer_11_client.pem
private_key = peer_11_key.pem
ca_list = peer_11_ca.pem
http://kamailio.org/docs/modules/3.0.x/modules/tls.html
Moreover, the new architecture offers far better performances, as it is reusing lot of TCP enhancements, getting to tens of thousands TLS connections in a single SIP server is easier than ever.
Note that TLS was not updated to work in asynchronous mode, therefore when using TLS configure TCP in non-asynchronous mode (feature planned for next major release).
Next in this series: onsend_route.
Posts
No comments:
Post a Comment