[SR-Users] about tls client certificates

Juha Heinanen jh at tutpro.com
Fri Apr 11 09:12:49 CEST 2014

i read tls code and docs more carefully and found that if tls server is
configured like this:

verify_certificate = yes
require_certificate = no
tls_method = SSLv23
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
ca_list = /etc/ssl/certs/cacert.org.pem

then server asks certificate from client.  if client provides one,
server verifies it, but it is ok for the client not to provide a

regarding tls module pseudo vars, one can use $tls_peer_verified to test
if client provided verified certificate and, if it did, one can use
$tls_peer_subject_cn to gets its common name.

i added $tls_* pseudo vars to wiki under TLS Module Pseudo Variables,
but didn't give any explanation to any of them.

-- juha

More information about the sr-users mailing list