[sr-dev] [kamailio/kamailio] Docs: TLS module known limitation needs clarifications (Issue #3717)

<!-- Kamailio Project uses GitHub Issues only for bugs in the code or feature requests. Please use this template only for feature requests. If you have questions about using Kamailio or related to its configuration file, ask on sr-users mailing list: * https://lists.kamailio.org/mailman3/postorius/lists/sr-users.lists.kamailio… If you have questions about developing extensions to Kamailio or its existing C code, ask on sr-dev mailing list: * https://lists.kamailio.org/mailman3/postorius/lists/sr-dev.lists.kamailio.o… Please try to fill this template as much as possible for any issue. It helps the developers to troubleshoot the issue. If you submit a feature request (or enhancement) add the description of what you would like to be added. If there is no content to be filled in a section, the entire section can be removed. Note that a feature request may be closed automatically after about 2 months if there is no interest from developers or community users to implement it, being considered expired. In such case can be reopened by writing a comment that includes the token `/notexpired`. About two weeks before considered expired, the item is marked with the label `stale`, trying to notify the submitter and everyone else that might be interested in it. To remove the label `stale`, write a comment that includes the token `/notstale`. Also, any comment postpone the `expire` timeline, being considered that there is interest in the proposed feature request. You can delete the comments from the template sections when filling. You can delete next line and everything above before submitting (it is a comment). --> ### Description We recently deployed successfully Kamailio with TLS certificates. Now we would like to use let's encrypt certificate which expire after 3 months. Means we need to renew certificate approximatively every 2 months. But while reading docs, in [known limitations](https://kamailio.org/docs/modules/devel/modules/tls.html#tls.k… it says : We struggle to understand if this behaviour is risky and not recommended under heavy traffic for certificate renewal. The doc has been added initially by @poandrei 18 years ago in Feb 21 2007 (see [commit](https://github.com/kamailio/kamailio/commit/32e4977cdb9c1c9ca24c140…) While digging we came across few discussions Kamailio user groups which are saying "the opposite" (kind of): - [Comments by a co-founder of Kamailio ](https://www.mail-archive.com/sr-users@lists.kamailio.org/msg16014.html)stating that the old connections shouldn’t be affected by reload. - Comments by a Kamailio core developer stating that certificate reload is fine with the “reload” cmd ([link1](https://lists.kamailio.org/pipermail/sr-users/2022-February/114296.h…, [link2](https://github.com/kamailio/kamailio/issues/3305)) Plus in another section in docs: - [By definition :](https://kamailio.org/docs/modules/devel/modules/tls.html#tls.r.tls.reload) (the) existing active TLS connections are not terminated and they continue to use the old certificates. The new configuration will be used for new connections. So 18 years after, Is it safe to use `tls.reload` command in production and in heavy traffic for **TLS certificate renewal** ? Because it sounds scary and confusing. So the documentation as it is, really needs clarifications to let users know which risk they're taking when running the `tls.reload` command. <!-- Explain what you did, what you expected to happen, and what actually happened. --> ### Expected behavior The document should clearly documents risks, at least for certificate renewal. #### Actual observed behavior Docs and Kamailio user/dev groups are confusing. -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3717 You are receiving this because you are subscribed to this thread. Message ID: &lt;kamailio/kamailio/issues/3717(a)github.com&gt;