12 Jan
2016
12 Jan
'16
3:38 a.m.
On 09/01/16 01:12, Juha Heinanen wrote:
Juha Heinanen writes:
OK, added some notes in the docs about it.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
http://miconda.eu
I just tried by replacing ca_list file of my
proxy (that contained ca
certs of my peers) with a single bogus ca cert. Then I executed tls.cfg
and made a call from one of the peers to my proxy. My proxy still
recognized the call as coming from the peer based on its tls common
name. My understanding is that this should not have been possible if
the cached ca_list of my proxy would have been updated.
It turned out that the old
tls connection from the peer to my proxy was
still alive. After terminating the connection, a new connection setup
was correctly refused.
So looks like certs can be reloaded on the fly. I'll try later with
client and server certs.