git:master: tls: updated readme with missing parameters - sr-dev

12 Mar 2012

Module: sip-router
Branch: master
Commit: 30266d27e3abbea9ceb5ea59bcccc69fe9a0b9bb
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=30266d27...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Mon Mar 12 12:26:39 2012 +0100
tls: updated readme with missing parameters
---
modules/tls/README         |   55 +++++++++++++++++++++++++++++++++++++-----
 modules/tls/doc/params.xml |   57 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 105 insertions(+), 7 deletions(-)

diff --git a/modules/tls/README b/modules/tls/README
index 0fa3f37..e693a67 100644
--- a/modules/tls/README
+++ b/modules/tls/README
@@ -4,7 +4,7 @@ Andrei Pelinescu-Onciul
iptelorg GmbH
-   Copyright © 2007 iptelorg GmbH
+   Copyright � 2007 iptelorg GmbH
      __________________________________________________________________
1.1. Overview
@@ -43,7 +43,10 @@ Andrei Pelinescu-Onciul
         1.9.24. low_mem_threshold1 (integer)
         1.9.25. low_mem_threshold2 (integer)
         1.9.26. tls_force_run (boolean)
-        1.9.27. config (string)
+        1.9.27. session_cache (boolean)
+        1.9.28. session_id (str)
+        1.9.29. renegotiation (boolean)
+        1.9.30. config (string)
1.10. Functions
@@ -883,7 +886,45 @@ modparam("tls", "low_mem_threshold2", -1)
 modparam("tls", "tls_force_run", 11)
 ...
-1.9.27. config (string)
+1.9.27. session_cache (boolean)
+
+   If enabled SIP server will do caching of the TLS sessions data,
+   generation a session_id and sending it back to client.
+
+   By default TLS session caching is disabled (0).
+
+   Example 36. Set session_cache parameter
+...
+modparam("tls", "session_cache", 1)
+...
+
+1.9.28. session_id (str)
+
+   The value for session ID context, making sense when session caching is
+   enabled.
+
+   By default TLS session_id is "sip-router-tls-3.1".
+
+   Example 37. Set session_id parameter
+...
+modparam("tls", "session_id", "my-session-id-context")
+...
+
+1.9.29. renegotiation (boolean)
+
+   If enabled SIP server will allow renegotiations of TLS connection
+   initiated by the client. This may expose to a security risk if the
+   client is not a trusted peer and keeps renegotiating, consuming CPU and
+   bandwidth resources.
+
+   By default TLS renegotiation is disabled (0).
+
+   Example 38. Set renegotiation parameter
+...
+modparam("tls", "renegotiation", 1)
+...
+
+1.9.30. config (string)
Sets the name of the TLS specific config file.
@@ -922,7 +963,7 @@ modparam("tls", "tls_force_run", 11)
    client when it initiates a new connection by itself (it connects to
    something).
-   Example 36. Short config file
+   Example 39. Short config file
 [server:default]
 method = TLSv1
 verify_certificate = yes
@@ -949,7 +990,7 @@ ca_list = local_ca.pem
    For a more complete example check the tls.cfg distributed with the
    SIP-router source (sip_router/modules/tls/tls.cfg).
-   Example 37. Set config parameter
+   Example 40. Set config parameter
 ...
 modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
 ...
@@ -957,7 +998,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
    It can be changed also at runtime. The new config will not be loaded
    immediately, but after the first tls.reload RPC call.
-   Example 38. Change and reload tls config at runtime
+   Example 41. Change and reload tls config at runtime
  $ sercmd cfg.set_now_string tls config "/usr/local/etc/ser/new_tls.cfg"
  $ sercmd tls.reload
@@ -969,7 +1010,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
    , the peer presented an X509 certificate and the certificate chain
    verified ok. It can be used only in a request route.
-   Example 39. is_peer_verified usage
+   Example 42. is_peer_verified usage
         if (proto==TLS && !is_peer_verified()){
                 sl_send_reply("400", "No certificate or verification failed");
                 drop;
diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index 63d7eeb..8297172 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -855,6 +855,63 @@ modparam("tls", "tls_force_run", 11)
    </example>
    </section>
+	<section id="session_cache">
+	<title><varname>session_cache</varname> (boolean)</title>
+	<para>
+		If enabled SIP server will do caching of the TLS sessions data, generation a session_id and sending
+		it back to client.
+	</para>
+	<para>
+		By default TLS session caching is disabled (0).
+	</para>
+	<example>
+		<title>Set <varname>session_cache</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "session_cache", 1)
+...
+	</programlisting>
+	</example>
+	</section>
+
+	<section id="session_id">
+	<title><varname>session_id</varname> (str)</title>
+	<para>
+		The value for session ID context, making sense when session caching is enabled.
+	</para>
+	<para>
+		By default TLS session_id is "sip-router-tls-3.1".
+	</para>
+	<example>
+		<title>Set <varname>session_id</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "session_id", "my-session-id-context")
+...
+	</programlisting>
+	</example>
+	</section>
+
+	<section id="renegotiation">
+	<title><varname>renegotiation</varname> (boolean)</title>
+	<para>
+		If enabled SIP server will allow renegotiations of TLS connection initiated by the client. This may
+		expose to a security risk if the client is not a trusted peer and keeps renegotiating, consuming CPU
+		and bandwidth resources.
+	</para>
+	<para>
+		By default TLS renegotiation is disabled (0).
+	</para>
+	<example>
+		<title>Set <varname>renegotiation</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "renegotiation", 1)
+...
+	</programlisting>
+	</example>
+	</section>
+
    <section id="config">
    <title><varname>config</varname> (string)</title>
    <para>

    