[sr-dev] Notes from TLS tests

[Olle E. Johansson]

Hi!

Yesterday I tested the TLS module and noticed a few things:

- Kamailio compiled on OS/X refuse to connect to a kamailio server running a CAcert class 3 certificate. 
  So does Counterpath Bria and Blink. I need to figure out the difference between their class 1 and class3 certs,
  unless someone here already knows.

- Even though verification is turned off (default) Kamailio refuses to use the self-signed cert created by the
  install unless you have the selfsigned cert in the ca-list pem file. This is propably a bug.

- If you only want to use Kamailio as a TLS client, connecting to other servers you have to add a listen
  port and a server certificate. Always. This is propably the design. To set up a connection, we base it
  on an existing listen port. If that doesn't exist, Kamailio refuse to connect.

- I can't find any way to check the server certificate for the server we connect to in the routing script.
  I guess the ONSEND route runs after we've selected server and transport, but before we're actually
  connected (in first transaction). 
  The TLS module selects claim we have no TLS transport, even though ONSEND claims we have TLS
  transport... The tls.peer selects seems to be designed for inbound connections, not outbound.


This is not yet a bug report, just notes for comments and for the archives :-)

/O