Monday, December 21, 2009

Best of New in Kamailio 3.0.0 - #7: tls

The most important change, comparing to Kamailio (OpenSER) 1.5.x (or older), in regard to TLS is a new internal architecture - the core is no longer dependent of SSL libraries.

If in older versions, enabling TLS means to recompile everything, with TLS=1 flag for Makefile, in Kamailio (OpenSER) 3.0.0 TLS implementation is provided by a module, named tls.
  • no more two tarballs with sources of Kamailio
  • no more two sets of packages with Kamailio binaries
  • no more need to recompile everything every time when switching between no-TLS and TLS configs
  • compilation of TLS support as simple as compilation of any other module: make modules modules=modules/tls
Yes, now enabling TLS is as simple as just loading a module and configure it via modparam:
...
loadmodule "tls.so"
...
modparam("tls", "certificate", "/etc/kamailio/certificate.pem")
...

Coming as well with support for server name extension, another feature that worth to mention is the option for a dedicated config file for TLS parameters.

...
modparam("tls", "config", "etc/kamailio/tls.cfg")
...

Sample TLS config file:

[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = kamailio_key.pem
certificate = kamailio_cert.pem
ca_list = kamailio_ca.pem

[client:default]
verify_certificate = yes
require_certificate = yes

[server:10.0.0.10:5061]
method = SSLv23
verify_certificate = yes
require_certificate = no
private_key = privatenet_key.pem
certificate = privatenet_cert.pem
verify_depth = 3
ca_list = privatenet_ca.pem

[client:10.0.0.11:5061]
verify_certificate = no
certificate = peer_11_client.pem
private_key = peer_11_key.pem
ca_list = peer_11_ca.pem
Check the full list of available parameters for TLS module at:
http://kamailio.org/docs/modules/3.0.x/modules/tls.html

Moreover, the new architecture offers far better performances, as it is reusing lot of TCP enhancements, getting to tens of thousands TLS connections in a single SIP server is easier than ever.

Note that TLS was not updated to work in asynchronous mode, therefore when using TLS configure TCP in non-asynchronous mode (feature planned for next major release).

Next in this series: onsend_route.

No comments:

Post a Comment