[sr-dev] CAcert.org root certs in trunk
Olle E. Johansson
oej at edvina.net
Thu Feb 6 10:32:58 CET 2014
On 06 Feb 2014, at 10:28, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> I think that importing the certificate in the repository will add some overhead, as we have to periodically check if it was revoked or updated.
Root certificates typically have a long timespan to be able to be imported.
> Maybe we can add a make target or a script to download and install it on demand.
I wanted it to be included to make sure that there's no excuse. We can of course download
during install so it's in there. Maybe that's a good idea.
> Regarding the config options, perhaps is better to add a kamailio-secure.cfg for the time being, where to build a config file targeting secure deployments. I guess we have to do more changes than just few parameter for tls module (or tls config). Over the time, we can push parts (or all) in kamailio.cfg.
> On 06/02/14 08:25, Olle E. Johansson wrote:
>> On 05 Feb 2014, at 18:53, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>>> On 05.02.2014 13:37, Olle E. Johansson wrote:
>>>> I would like to add cacert.org root certificates to the Kamailio distribution, so that every Kamailio server gets these as approved certificates by default with the default TLS settings.
>>>> Anyone having problems with doing that?
>>> I do not trust cacert anything more than all the commercials CA. Thus I do not want to trust the cacert automatically.
>>> What would be fine for is something like that in kamailio.cfg:
>>> # remove the comments from the following lines to accept
>>> # certificates signed by cacert.org:
>>> #modparam("tls", "ca_list", "......cacert.org.pem")
>> I can live with that.
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> sr-dev mailing list
> sr-dev at lists.sip-router.org
More information about the sr-dev