Module: sip-router Branch: master Commit: b690ab5236cbe209dd1d80ddcc15bc4c9053c42f URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b690ab52...
Author: Andrei Pelinescu-Onciul andrei@iptel.org Committer: Andrei Pelinescu-Onciul andrei@iptel.org Date: Tue Sep 7 18:06:53 2010 +0200
tls: doc - notes about filename path
- notes about how filename path are resolved in function of the first character. - regenerated README.
---
modules/tls/README | 30 +++++++++++++++++++ modules/tls/doc/params.xml | 69 ++++++++++++++++++++++++++++++++++++++----- 2 files changed, 91 insertions(+), 8 deletions(-)
diff --git a/modules/tls/README b/modules/tls/README index ed9004d..ac64fdc 100644 --- a/modules/tls/README +++ b/modules/tls/README @@ -321,6 +321,12 @@ modparam("tls", "tls_method", "TLSv1") Sets the certificate file name. The certificate file can also contain the private key in PEM format.
+ If the file name starts with a '.' the path will be relative to the + working directory (at runtime). If it starts with a '/' it will be an + absolute path and if it starts with anything else the path will be + relative to the main config file directory (e.g.: for ser -f + /etc/ser/ser.cfg it will be relative to /etc/ser/). + Warning: try not to use certificate with keys longer then 1024 bytes. Longer keys will severely impact performance, in particular the TLS connection rate. @@ -336,6 +342,12 @@ modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem")
Sets the private key file name.
+ If the file name starts with a '.' the path will be relative to the + working directory (at runtime). If it starts with a '/' it will be an + absolute path and if it starts with anything else the path will be + relative to the main config file directory (e.g.: for ser -f + /etc/ser/ser.cfg it will be relative to /etc/ser/). + Note: the private key can be contained in the same file as the certificate (just append it to the certificate file, e.g.: cat pkey.pem >> cert.pem) @@ -354,6 +366,12 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem") to one of the listed CAs, the authentication will succeed. See also verify_certificate, verify_depth and require_certificate.
+ If the file name starts with a '.' the path will be relative to the + working directory (at runtime). If it starts with a '/' it will be an + absolute path and if it starts with anything else the path will be + relative to the main config file directory (e.g.: for ser -f + /etc/ser/ser.cfg it will be relative to /etc/ser/). + By default the CA file is not set.
An easy way to create the CA list is to append each trusted trusted CA @@ -782,6 +800,12 @@ modparam("tls", "tls_force_run", 11) client) and domain basis (for now only IPs). The corresponding module parameters will be ignored.
+ If the file name starts with a '.' the path will be relative to the + working directory (at runtime). If it starts with a '/' it will be an + absolute path and if it starts with anything else the path will be + relative to the main config file directory (e.g.: for ser -f + /etc/ser/ser.cfg it will be relative to /etc/ser/). + By default no config file is specified.
The following parameters can be set in the config file, for each @@ -795,6 +819,12 @@ modparam("tls", "tls_force_run", 11) * ca_list * cipher_list
+ All the parameters that take filenames as values will be resolved using + the same rules as for the tls config filename itself: starting with a + '.' means relative to the working directory, a '/' means an absolute + path and anything else a path relative to the directory of the current + ser main config file. + SIP-router acts as a server when it accepts a connection and as a client when it initiates a new connection by itself (it connects to something). diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml index 7416d52..90e5020 100644 --- a/modules/tls/doc/params.xml +++ b/modules/tls/doc/params.xml @@ -62,10 +62,20 @@ modparam("tls", "tls_method", "TLSv1") <section id="certificate"> <title><varname>certificate</varname> (string)</title> <para> - Sets the certificate file name. The certificate file can also contain the private key in PEM format. + Sets the certificate file name. The certificate file can also contain + the private key in PEM format. </para> <para> - <emphasis>Warning:</emphasis> try not to use certificate with keys longer then 1024 bytes. Longer keys will severely impact performance, in particular the TLS connection rate. + If the file name starts with a '.' the path will be relative to the + working directory (<emphasis>at runtime</emphasis>). If it starts + with a '/' it will be an absolute path and if it starts with anything + else the path will be relative to the main config file directory + (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/). + </para> + <para> + <emphasis>Warning:</emphasis> try not to use certificate with keys + longer then 1024 bytes. Longer keys will severely impact performance, + in particular the TLS connection rate. </para> <para> The default value is [SER_CFG_DIR]/cert.pem. @@ -86,7 +96,16 @@ modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem") Sets the private key file name. </para> <para> - Note: the private key can be contained in the same file as the certificate (just append it to the certificate file, e.g.: cat pkey.pem >> cert.pem) + If the file name starts with a '.' the path will be relative to the + working directory (<emphasis>at runtime</emphasis>). If it starts + with a '/' it will be an absolute path and if it starts with anything + else the path will be relative to the main config file directory + (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/). + </para> + <para> + Note: the private key can be contained in the same file as the + certificate (just append it to the certificate file, e.g.: + cat pkey.pem >> cert.pem) </para> <para> The default value is [SER_CFG_DIR]/cert.pem. @@ -104,13 +123,27 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem") <section id="ca_list"> <title><varname>ca_list</varname> (string)</title> <para> - Sets the CA list file name. This file contains a list of all the trusted CAs certificates. If a signature in a certificate chain belongs to one of the listed CAs, the authentication will succeed. See also <emphasis>verify_certificate</emphasis>, <emphasis>verify_depth</emphasis> and <emphasis>require_certificate</emphasis>. + Sets the CA list file name. This file contains a list of all the + trusted CAs certificates. If a signature in a certificate chain belongs + to one of the listed CAs, the authentication will succeed. See also + <emphasis>verify_certificate</emphasis>, + <emphasis>verify_depth</emphasis> and + <emphasis>require_certificate</emphasis>. + </para> + <para> + If the file name starts with a '.' the path will be relative to the + working directory (<emphasis>at runtime</emphasis>). If it starts + with a '/' it will be an absolute path and if it starts with anything + else the path will be relative to the main config file directory + (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/). </para> <para> By default the CA file is not set. </para> <para> - An easy way to create the CA list is to append each trusted trusted CA certificate in the PEM format to one file, e.g.: for f in trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done . + An easy way to create the CA list is to append each trusted trusted CA + certificate in the PEM format to one file, e.g.: for f in + trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done . </para> <example> <title>Set <varname>ca_list</varname> parameter</title> @@ -760,13 +793,24 @@ modparam("tls", "tls_force_run", 11) Sets the name of the TLS specific config file. </para> <para> - If set the TLS module will load a special config file, in which different TLS parameters can be specified on a per role (server or client) and domain basis (for now only IPs). The corresponding module parameters will be ignored. + If set the TLS module will load a special config file, in which + different TLS parameters can be specified on a per role (server or + client) and domain basis (for now only IPs). The corresponding module + parameters will be ignored. + </para> + <para> + If the file name starts with a '.' the path will be relative to the + working directory (<emphasis>at runtime</emphasis>). If it starts + with a '/' it will be an absolute path and if it starts with anything + else the path will be relative to the main config file directory + (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/). </para> <para> By default no config file is specified. </para> <para> - The following parameters can be set in the config file, for each domain: + The following parameters can be set in the config file, for each + domain: </para> <itemizedlist> <listitem><para>tls_method</para></listitem> @@ -779,7 +823,16 @@ modparam("tls", "tls_force_run", 11) <listitem><para>cipher_list</para></listitem> </itemizedlist> <para> - SIP-router acts as a server when it accepts a connection and as a client when it initiates a new connection by itself (it connects to something). + All the parameters that take filenames as values will be resolved + using the same rules as for the tls config filename itself: starting + with a '.' means relative to the working directory, a '/' means an + absolute path and anything else a path relative to the directory of + the current ser main config file. + </para> + <para> + SIP-router acts as a server when it accepts a connection and as a + client when it initiates a new connection by itself (it connects to + something). </para> <example> <title>Short config file</title>