[sr-dev] git:master:e3e0e52c: tls: document matching on server_id for oubound connections

Daniel-Constantin Mierla miconda at gmail.com
Thu Nov 12 14:48:25 CET 2015 

Module: kamailio
Branch: master
Commit: e3e0e52ca4a06f72f5139623116d1c8bc119b1e3
URL: https://github.com/kamailio/kamailio/commit/e3e0e52ca4a06f72f5139623116d1c8bc119b1e3

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-11-12T14:42:12+01:00

tls: document matching on server_id for oubound connections

---

Modified: modules/tls/doc/params.xml

---

Diff:  https://github.com/kamailio/kamailio/commit/e3e0e52ca4a06f72f5139623116d1c8bc119b1e3.diff
Patch: https://github.com/kamailio/kamailio/commit/e3e0e52ca4a06f72f5139623116d1c8bc119b1e3.patch

---

diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index dc40322..397e83f 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -1031,8 +1031,17 @@ modparam("tls", "renegotiation", 1)
 			<listitem><para>crl</para></listitem>
 			<listitem><para>cipher_list</para></listitem>
 			<listitem><para>server_name</para></listitem>
+			<listitem><para>server_id</para></listitem>
 	</itemizedlist>
 	<para>
+		The value for server_id can be any string, being used to match TLS
+		client config profile, overriding the match on ip:port and
+		server_name. This is the recommended way for selecting a specific
+		TLS client config profile, because the local or remote port is hard
+		to predict for a stream connection - see parameter xavp_cfg to learn
+		how to enable it.
+	</para>
+	<para>
 		All the parameters that take filenames as values will be resolved
 		using the same rules as for the tls config filename itself: starting
 		with a '.' means relative to the working directory, a '/' means an
@@ -1071,6 +1080,16 @@ verify_depth = 3
 ca_list = local_ca.pem
 server_name = kamailio.org
 
+[client:127.0.0.1:5061]
+method = TLSv1
+verify_certificate = yes
+require_certificate = yes
+private_key = default_key.pem
+certificate = default_cert.pem
+ca_list = default_ca.pem
+crl = default_crl.pem
+server_name = kamailio.org
+server_id = kamailio.org
 	</programlisting>
 	</example>
 	<para>
@@ -1108,6 +1127,12 @@ modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg")
 	</para>
 	<itemizedlist>
 		<listitem><para>server_name - SNI to be used for outbound connections</para></listitem>
+		<listitem><para>server_id - string value to be used to match TLS config profile
+				for client (outbound) connections. If it is set, matching the TLS config
+				profile is done first on server_id and then on ip:port and server_name.
+				This is the recommended way for selecting a specific TLS client config
+				profile as the local or remote port is hard to predict for a stream
+				connection.</para></listitem>
 	</itemizedlist>
 	<para>
 		The default value is empty (not set).
@@ -1119,6 +1144,7 @@ modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg")
   modparam("tls", "xavp_cfg", "tls")
  ...
   $xavp(tls=>server_name) = "kamailio.org";
+  $xavp(tls=>server_id) = "kamailio.org";
   $du = "sip:kamailio.org:5061;transport=tls";
   route(RELAY);
 ...

More information about the sr-dev mailing list