[SR-Users] Add client certificate checking against a CRL in opensips
Daniel-Constantin Mierla
miconda at gmail.com
Tue Sep 20 10:51:27 CEST 2011
Hello,
On 9/19/11 5:54 PM, tomsc wrote:
> Hi everyone,
>
> I'd like to check that a client certificat is revoked or not against a crl.
> Actually, opensips use context SSL_CTX. How can I do with this context?
>
> I do this change to load the crl :
>
> load_crl(SSL_CTX * ctx, char *filename)
> {
> LM_DBG("entered load crl\n");
> X509_STORE *pStore = SSL_CTX_get_cert_store(ctx);
> X509_LOOKUP* plookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file());
> if (!X509_load_crl_file(plookup, filename, X509_FILETYPE_PEM)){
> LM_ERR("unable to load certificate file '%s'\n",
> filename);
> return -1;
> }
>
> LM_DBG("'%s' successfuly loaded\n", filename);
> return 0;
> }
>
> But I dont know how to add flags, is it the right solution?
first you sent the message to the wrong mailing list. Here we discuss
about Kamailio (OpenSER) and SIP Express Router (SER).
Second, kamailio/ser has CRL support for long time. So you just need to
set the path to crl file to tls module parameter 'crl' in config file
and that's all you have to do:
http://kamailio.org/docs/modules/stable/modules/tls.html#crl
Part of next tutorial shows how to install tls in version 3.1.x for
debian distro, which is really simple:
http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
It is not experimental TLS support like in other places, tls config file
can be reloaded at runtime without restart, see more in the readme of
the tls module:
http://kamailio.org/docs/modules/stable/modules/tls.html
The default config file of kamailio has also notes about TLS support --
very easy to enable by adding #!define WITH_TLS
Cheers,
Daniel
--
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Oct 10-13, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda
More information about the sr-users
mailing list