[sr-dev] CAcert.org root certs in trunk

Olle E. Johansson oej at edvina.net
Thu Feb 6 10:32:58 CET 2014


On 06 Feb 2014, at 10:28, Daniel-Constantin Mierla <miconda at gmail.com> wrote:

> Hello,
> 
> I think that importing the certificate in the repository will add some overhead, as we have to periodically check if it was revoked or updated.
Root certificates typically have a long timespan to be able to be imported. 
> 
> Maybe we can add a make target or a script to download and install it on demand.
I wanted it to be included to make sure that there's no excuse. We can of course download
during install so it's in there. Maybe that's a good idea.

> 
> Regarding the config options, perhaps is better to add a kamailio-secure.cfg for the time being, where to build a config file targeting secure deployments. I guess we have to do more changes than just few parameter for tls module (or tls config). Over the time, we can push parts (or all) in kamailio.cfg.
Ok.

/O
> 
> Cheers,
> Daniel
> 
> 
> On 06/02/14 08:25, Olle E. Johansson wrote:
>> On 05 Feb 2014, at 18:53, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>> 
>>> On 05.02.2014 13:37, Olle E. Johansson wrote:
>>>> Hi!
>>>> 
>>>> I would like to add cacert.org root certificates to the Kamailio distribution, so that every Kamailio server gets these as approved certificates by default with the default TLS settings.
>>>> 
>>>> Anyone having problems with doing that?
>>> I do not trust cacert anything more than all the commercials CA. Thus I do not want to trust the cacert automatically.
>>> 
>>> What would be fine for is something like that in kamailio.cfg:
>>> 
>>> # remove the comments from the following lines to accept
>>> # certificates signed by cacert.org:
>>> #modparam("tls", "ca_list", "......cacert.org.pem")
>>> 
>> I can live with that.
>> 
>> /O
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
> 
> -- 
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> 
> 
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev




More information about the sr-dev mailing list