[SR-Users] about tls client certificates

Juha Heinanen jh at tutpro.com
Thu Apr 10 18:45:17 CEST 2014

while doing some tls tests, i noticed that if tls.cfg has a section like

verify_certificate = no
require_certificate = no
tls_method = SSLv23
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
ca_list = /etc/ssl/certs/cacert.org.pem

then client does not give its certificate to kamailio server during tls
connection setup even if it had one.

if i specify:

require_certificate = no

then client sends its certificate to kamailio server, but if another
client does not have a client certificate, then it cannot connect at

one way to solve this would be making kamailio listen on two tls ports,
one for clients that are required to present a a certificate and another
port for clients that do not have a certificate.

unfortunately, it is not possible to add a mask to ip address in tls.cfg
section like this:


does anyone have a solution to this problem (other that running two
kamailio instances)?

-- juha

More information about the sr-users mailing list