<simpara>
If you need RADIUS accounting then edit also sip_router/
modules/acc/Makefile and
uncomment lines containing:
</simpara>
<programlisting>
DEFS+=-DRAD_ACC
LIBS=-L$(LOCALBASE)/lib -lradiusclient
</programlisting>
What's the current status?
I think that it would be good that someone who knows the status cleans
up this file... It seems old.
We have the following modules now:
drwxr-xr-x 13 olle wheel 442 10 Okt 13:32 modules/auth_radius
drwxr-xr-x 11 olle wheel 374 10 Okt 13:32 modules/misc_radius
drwxr-xr-x 4 olle wheel 136 10 Okt 16:58 modules_s/acc_radius
The document mentions group_radius.so which I can't find...
Made a few small changes in the file, but not enough for release.
/O
Module: sip-router
Branch: master
Commit: fc5840716b51d7817be52cefb203d96c380c35d0
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=fc58407…
Author: oej <oej(a)edvina.net>
Committer: oej <oej(a)edvina.net>
Date: Sat Oct 10 17:13:24 2009 +0200
Updating xml doc
---
doc/ser_radius/ser_radius.xml | 68 ++++++++++++++++++-----------------------
1 files changed, 30 insertions(+), 38 deletions(-)
diff --git a/doc/ser_radius/ser_radius.xml b/doc/ser_radius/ser_radius.xml
index d2bfb30..2b3e04c 100644
--- a/doc/ser_radius/ser_radius.xml
+++ b/doc/ser_radius/ser_radius.xml
@@ -1,6 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
+
+<!-- Include general documentation entities -->
+<!ENTITY % docentities SYSTEM "../../docbook/entities.xml">
+%docentities;
+
+]>
<section id="ser_radius" xmlns:xi="http://www.w3.org/2001/XInclude">
<sectioninfo>
@@ -23,19 +29,19 @@
</revhistory>
</sectioninfo>
- <title>SER RADIUS Howto</title>
+ <title>SIP-router RADIUS Howto</title>
<section id="radius_intro">
<title>Introduction</title>
<simpara>
- SER can be configured to use RADIUS server for authentication,
+ SIP-router can be configured to use RADIUS server for authentication,
accounting, and group membership checking. Since configuration of
RADIUS seems to be a common source of problems, we decided to put
together this HOWTO.
</simpara>
<simpara>
The HOWTO covers installation and configuration of FreeRADIUS
- server only. There are also other RADIUS servers available and as
+ server only. There are other RADIUS servers available and as
long as they support digest authentication, they should work
too. Any volunteers willing to describe setup of other RADIUS
servers are encouraged to contact the author.
@@ -44,7 +50,7 @@
<section id="prerequisities">
<title>Prerequisites</title>
<simpara>
- To setup RADIUS support in SER you will need the following:
+ To setup RADIUS support in SIP-router you will need the following:
</simpara>
<itemizedlist>
<listitem>
@@ -66,13 +72,13 @@
</listitem>
<listitem>
<simpara>
- SER, get it from <ulink url="http://iptel.org/ser">http://iptel.org/ser</ulink>
+ SIP-router, get it from <ulink url="&serhome;">&serhome;</ulink>
</simpara>
</listitem>
<listitem>
<simpara>
You should also have some experience in configuring
- SER. Before you enable RADIUS authentication or
+ SIP-router. Before you enable RADIUS authentication or
accounting make sure that the basic server is running
and that you know how to customize it to your taste.
</simpara>
@@ -80,13 +86,13 @@
<listitem>
<simpara>
If you want to use RADIUS accounting then you will have
- to compile SER from sources so you should know how to
+ to compile SIP-router from sources so you should know how to
do it.
</simpara>
</listitem>
</itemizedlist>
<simpara>
- Various unix/linux distributions might include binary packages
+ Various Unix/Linux distributions might include binary packages
of the mentioned applications. In that case you can safely use
the packages, there shouldn't be any problem. Location of some
files may be different, though. We will describe how to install
@@ -192,7 +198,7 @@ acctserver localhost
<simpara>
Radiusclient library contains file called
<filename>dictionary.ser</filename>. That file includes all the
- attributes that are needed by SER. Include the file in the
+ attributes that are needed by SIP-router. Include the file in the
main <filename>dictionary</filename> file. To
include the file, put the following line at the end of
<filename>dictionary</filename> file:
@@ -376,7 +382,7 @@ root@/usr/local/src# radclient -f digest localhost auth <shared_secret>
package. That also means that you have to enable access
from localhost in your <filename>clients.conf</filename>
file. Don't forget to replace <shared_secret> with
- the shared secret configured for locahost clients in
+ the shared secret configured for localhost clients in
<filename>clients.conf</filename>.
</simpara>
</note>
@@ -392,18 +398,18 @@ Received response ID 224, code 2, length = 45
<section id="auth_configuration">
<title>Authentication Configuration</title>
<simpara>
- To create user "joe" in domain "iptel.org" with password
+ To create user "joe" in domain "sip-router.org" with password
"heslo" put the following into file
<filename>/usr/local/etc/raddb/users</filename>:
</simpara>
<programlisting>
-joe(a)iptel.org Auth-Type := Digest, User-Password == "heslo"
+joe(a)sip-router.org Auth-Type := Digest, User-Password == "heslo"
Reply-Message = "Authenticated",
Sip-Rpid = "1234"
</programlisting>
<simpara>
Attribute "Sip-Rpid" is optional. The attribute
- contains a phone number associated to the user. SER can be
+ contains a phone number associated to the user. SIP-router can be
configured to put the phone number into Remote-Party-ID header
field of the SIP message. The header field can be then used
by PSTN gateways to display the number as the number of the
@@ -415,7 +421,7 @@ joe(a)iptel.org Auth-Type := Digest, User-Password == "heslo"
<section id="accounting_configuration_server">
<title>Accounting Configuration</title>
<simpara>
- By default FreeRADIUS server will log all accounting requests
+ By default the FreeRADIUS server will log all accounting requests
into <filename>/usr/local/var/log/radius/radacct</filename>
directory in form of plain text files. The server will
create one file for each hostname in the directory. The
@@ -470,43 +476,29 @@ Tue Jun 24 00:20:56 2003
<section id="group_checking">
<title>Group Checking Configuration</title>
<simpara>
- If you want to make user "joe" in domain "iptel.org" member of
+ If you want to make user "joe" in domain "sip-router.org" member of
group "pstn" then add the following to your
<filename>/usr/local/etc/raddb/users</filename> file:
</simpara>
<programlisting>
-joe(a)iptel.org Sip-Group == "pstn", Auth-Type := Accept
+joe(a)sip-router.org Sip-Group == "pstn", Auth-Type := Accept
Reply-Message = "Authorized"
</programlisting>
</section>
</section>
<section id="ser_config">
- <title>SER Configuration</title>
+ <title>SIP-router Configuration</title>
<simpara>
We will describe installation from sources here. If you use binary
packages then there is an additional package containing RADIUS
related modules. You will need to install the package.
</simpara>
- <warning>
- <simpara>
- Due to a mistake the binary packages for RADIUS do not include
- RADIUS-enabled version of acc (accounting) module. The packages
- contain modules for RADIUS authentication and group membership
- checking only.
- </simpara>
- <simpara>
- If you need accounting over RADIUS then you will have to
- compile RADIUS-enabled version of acc module from the
- sources. This will be fixed in one of future releases, we
- apologize for any inconvenience.
- </simpara>
- </warning>
<simpara>
RADIUS-related modules are not compiled by default. To compile
them, edit <filename>Makefile</filename>, find variable
<varname>exclude_modules</varname> and you should see
- "auth_radius", "group_radius", and "uri_radius" among excluded
+ "auth_radius", "acc_radius", and "misc_radius" among excluded
modules. Simply remove the three modules from the list.
</simpara>
<simpara>
@@ -518,7 +510,7 @@ DEFS+=-DRAD_ACC
LIBS=-L$(LOCALBASE)/lib -lradiusclient
</programlisting>
<simpara>
- Then recompile and re-install SER:
+ Then recompile and re-install SIP-router:
</simpara>
<screen>
root@localhost:/usr/local/src/sip_router# make proper
@@ -529,7 +521,7 @@ root@localhost:/usr/local/src/sip_router# make install
<section id="auth_configuration_client">
<title>Authentication Configuration</title>
<simpara>
- Edit configuration file of SER and instead of
+ Edit configuration file of SIP-router and instead of
<filename>auth_db.so</filename> load
<filename>auth_radius.so</filename> and also replace
<function>www_authorize</function> with
@@ -574,8 +566,8 @@ root@localhost:/usr/local/src/sip_router# make install
<qandaentry>
<question>
<simpara>
- I compiled SER RADIUS modules and installed
- radiusclient library, but when I try to start ser I get
+ I compiled SIP-router RADIUS modules and installed
+ radiusclient library, but when I try to start the server I get
the following error message:
</simpara>
<programlisting>
Module: sip-router
Branch: master
Commit: 95ec00f6ddc3b8e5b8059b1dce0d1f4c8ae29064
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=95ec00f…
Author: oej <oej(a)edvina.net>
Committer: oej <oej(a)edvina.net>
Date: Sat Oct 10 16:48:02 2009 +0200
Typos, server name
---
doc/dst_blacklist.txt | 66 ++++++++++++++++++++++++++-----------------------
1 files changed, 35 insertions(+), 31 deletions(-)
diff --git a/doc/dst_blacklist.txt b/doc/dst_blacklist.txt
index 8130ff4..93e914f 100644
--- a/doc/dst_blacklist.txt
+++ b/doc/dst_blacklist.txt
@@ -6,67 +6,71 @@
#
Overview
+--------
The destination blacklist (dst_blacklist) is used to try to mark bad
- destination and avoid possible future expensive send operation to them.
- A destination is added to the blacklist when trying to send to it fails (e.g.
- timeout while trying to send or connect on tcp), or when a sip timeout occurs
- while trying to forward statefully an invite (using tm) and the remote side
+ destinations and avoid possible future expensive send operation to them.
+ A destination is added to the blacklist when an attempt to send to it fails (e.g.
+ timeout while trying to send or connect on TCP), or when a SIP timeout occurs
+ while trying to forward statefully an INVITE (using tm) and the remote side
doesn't send back any response.
- The blacklist (if enabled) is checked before any send attempt.
+ The blacklist (if enabled) is checked before any send attempt.
Drawbacks
-
+---------
Using the destination blacklist will cause some performance degradation,
especially on multi cpu machines. If you don't need it you can easily
- disable it, either in ser's config or at compile time. Disabling it at
- compile time is slightly better (but not in a "measurable" way) then
- disabling it at runtime, from the config file.
- Whether the destination blacklist is better to be on or off depends a lot
- on the setup. In general is better to turn it on when:
- - sending to clients that don't respond is expensive (e.g. lots of clients
- use tcp and they have the habit of silently discarding tcp traffic from time
- to time)
- - statefull forwarding is used (tm) and lower memory usage is desired
- (a transaction will fail immediately if the destination is already
- blacklisted by a previous transaction to the same destination that failed
- due to timeout)
- - faster dns failover is desired, especially when statefull forwarding (tm)
- and udp are used
- - better chances of DOS survival are important
+ disable it, either in sip-router's config or at compile time. Disabling it at
+ compile time is slightly better (but not in a "measurable" way) than
+ disabling it at runtime, from the config file.
+ Whether the destination blacklist is a good solution for you depends a lot
+ on the setup. In general it is better to turn it on when:
+ - sending to clients that don't respond is expensive (e.g. lots of clients
+ use tcp and they have the habit of silently discarding tcp traffic from time
+ to time)
+ - stateful forwarding is used (tm) and lower memory usage is desired
+ (a transaction will fail immediately if the destination is already
+ blacklisted by a previous transaction to the same destination that failed
+ due to timeout)
+ - faster dns failover is desired, especially when stateful forwarding (tm)
+ and UDP are used
+ - better chances of DOS attack survival are important
Config Variables
+----------------
use_dst_blacklist = on | off (default off) - enable the destination blacklist:
- if on each failed send attempt will cause the destination to be blacklisted.
- Before any send this blacklist will be checked and if a match is found the
+ If on each failed send attempt will cause the destination to be blacklisted.
+ Before any send operation this blacklist will be checked and if a match is found the
send is no longer attempted (an error is returned immediately).
Note: using the blacklist incurs a small performance penalty.
dst_blacklist_mem = size in Kb (default 250 Kb) - maximum
shared memory amount used for keeping the blacklisted destinations.
- dst_blacklist_expire = time in s (default 60 s) - how much time a
+ dst_blacklist_expire = time in s (default 60 s) - how long time a
blacklisted destination will be kept in the blacklist (w/o any update).
dst_blacklist_gc_interval = time in s (default 60 s) - how often the
garbage collection will run (eliminating old, expired entries).
dst_blacklist_init = on | off (default on) - if off, the blacklist
- is not initialized at startup and cannot be enabled runtime,
- that saves some memory.
+ is not initialized at startup and cannot be enabled at runtime,
+ which saves some memory.
-Compile Options
+Compile Time Options
+--------------------
USE_DST_BLACKLIST - if defined the blacklist support will be compiled-in
(default).
- Note: To remove a compile options, edit ser's Makefile.defs and remove it
- form DEFS list. To add a compile options add it to the make command line,
+ Note: To remove a compile time option, edit the file Makefile.defs and remove
+ USE_DST_BLACKLIST from the list named DEFS.
+ To add a compile time option, just add it to the make command line,
e.g.: make proper; make all extra_defs=-DUSE_DNS_FAILOVER
- or for a permanent solution, edit Makefile.defs and add it to DEFS
- (don't forget to prefix it with -D).
+ or for a permanent solution, edit Makefile.defs and add it to DEFS
+ (don't forget to prefix it with -D).
Module: sip-router
Branch: master
Commit: cc68f171deae22a3a6b65e7146e77955c1c7d3c8
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=cc68f17…
Author: oej <oej(a)edvina.net>
Committer: oej <oej(a)edvina.net>
Date: Sat Oct 10 16:37:45 2009 +0200
Adding license to the doxygen documentation
---
doc/doxygen/main.dox | 20 ++++++++++++++++++++
main.c | 12 +++---------
2 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/doc/doxygen/main.dox b/doc/doxygen/main.dox
index 924323d..a59cc15 100644
--- a/doc/doxygen/main.dox
+++ b/doc/doxygen/main.dox
@@ -11,4 +11,24 @@
* are used by all SIP Router modules that need to access a database.
*
* \section sr_modules SIP Router Modules
+ * Please click on the "modules" tab above for more information about the modules
+ *
+ * The documentation can be generated using doxygen by running "make doxygen"
+ *
+ * \section License SIP-router license
+ * SIP-router is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * SIP-router is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
*/
+
diff --git a/main.c b/main.c
index aa3a6d6..b50a75b 100644
--- a/main.c
+++ b/main.c
@@ -3,19 +3,14 @@
*
* Copyright (C) 2001-2003 FhG Fokus
*
- * This file is part of ser, a free SIP server.
+ * This file is part of SIP-router, a free SIP server.
*
- * ser is free software; you can redistribute it and/or modify
+ * SIP-router is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version
*
- * For a license to use the ser software under conditions
- * other than those described here, or to purchase support for this
- * software, please contact iptel.org by e-mail at the following addresses:
- * info(a)iptel.org
- *
- * ser is distributed in the hope that it will be useful,
+ * SIP-router is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
@@ -94,7 +89,6 @@
*
*/
-
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
For developer documentation and license templates, I suggest we decide
to use "sip-router" as a name always. In my personal eyes, Kamailio
and SER will be distributions of SIP-router, but the source will be
sip-router. User documentation needs the distribution name, but that
is something we need to fix after we branch out in all possible
distributions, including the hitherto secret Edvina Megaproxy and
Asipto 3S - SuperSipServer - distributions ;-)
Anyone against this policy in regards to all source code and doxygen?
/O
Module: sip-router
Branch: master
Commit: 0536bbc8739a46a5b67f37519e03881d5bf07684
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0536bbc…
Author: oej <oej(a)edvina.net>
Committer: oej <oej(a)edvina.net>
Date: Sat Oct 10 16:13:46 2009 +0200
Typos, formatting
---
modules/auth_identity/README | 47 ++++++++++++++-------------
modules/auth_identity/doc/auth_identity.xml | 22 ++++++------
2 files changed, 35 insertions(+), 34 deletions(-)
diff --git a/modules/auth_identity/README b/modules/auth_identity/README
index 70deb13..592f0aa 100644
--- a/modules/auth_identity/README
+++ b/modules/auth_identity/README
@@ -1,4 +1,4 @@
-1. Auth Identity Module
+1. SIP Authenticated Identity Module
Gergely Kovacs
@@ -70,7 +70,7 @@ Gergely Kovacs
* verifier - verifies an authorized message
Known limitations in this version:
- * authorizer and verifier support only SIP requests except for CANCEL
+ * authorizer and verifier support all SIP requests except for CANCEL
and REGISTER
* verifier does not support the subjectAltName extension of
certificates
@@ -83,17 +83,17 @@ Gergely Kovacs
This module needs the following headers and libraries:
* OpenSSL (version 0.9.8 or higher) for cryptographic functions
- * libcURL for HTTP, HTTPS functions
+ * libcurl for HTTP, HTTPS functions
If you'd like to use TLS module too then use the corresponding LIB line
in auth_identity's Makefile
1.4. Installation And Running
- Authorizer service needs an opportunity to make the public key, which
- conveyed in a certificate, available over HTTPS or HTTP for verifiers.
- The domain the authorizer is responsible for and the domain part of the
- URL of the certificate must be the same. This service needs its private
+ the Authorizer service needs to make the public key, which conveyed in
+ a certificate, available over HTTPS or HTTP for verifiers. The domain
+ the authorizer is responsible for and the domain part of the URL of the
+ certificate must be the same. This service needs access to the private
key too.
1.5. Authorizer service parameters
@@ -150,26 +150,27 @@ modparam("auth_identity","msg_timeout",600)
1.6. Authorizer service functions
-1.6.1. auth_date_proc()
+1.6.1. auth_date_proc()
If a message, the auth service should authorize, contains Date header
then this function checks whether it falls in message timeout (set by
- msg_timeout parameter). If there is not any Date header then adds one.
- This function also checks whether the certificate of auth service (set
- by certificate_path parameter) has not been expired.
+ msg_timeout parameter). If there is not any Date header then the module
+ adds one. This function also checks whether the certificate of the
+ authentication service (set by certificate_path parameter) has been
+ expired.
1.6.1.1. Dependencies
No dependencies
-1.6.2. auth_add_identity()
+1.6.2. auth_add_identity()
Assembles digest-string from the message, calculates its SHA1 hash,
- encrypt it with the private key (set by privatekey_path parameter) of
- authorizer service, base64 encodes it and adds to the outgoing message
- as the value of Identity header. This function also adds Identity-Info
- header which contains an URI (set by certificate_url parameter) from
- which the certificate of auth service can be acquired.
+ encrypts it with the private key (set by privatekey_path parameter) of
+ the authorizer service, base64 encodes it and adds to the outgoing
+ message as the value of Identity header. This function also adds
+ Identity-Info header which contains an URI (set by certificate_url
+ parameter) from which the certificate of auth service can be acquired.
Note: this function needs the final outgoing message for authorization,
so no module may modify any digest string related headers (From, To,
@@ -270,7 +271,7 @@ modparam("auth_identity","certificate_cache_limit",4096)
A file of trusted certificates. The file should contain multiple
certificates in PEM format concatenated together. It could be useful
- for verifying a certificate not signed by a trusted CA.
+ for verifying a certificate signed by a private CA.
This parameter is optional. It has not got default value.
@@ -292,7 +293,7 @@ modparam("auth_identity","accept_pem_certs",1)
1.9. Verifier service functions
-1.9.1. vrfy_check_date()
+1.9.1. vrfy_check_date()
Checks Date header of the incoming message whether falls in validity
time (set by auth_validity_time parameter)
@@ -301,7 +302,7 @@ modparam("auth_identity","accept_pem_certs",1)
No dependencies
-1.9.2. vrfy_get_certificate()
+1.9.2. vrfy_get_certificate()
Tries to get certificate defined by the value of Identity-info header
from certificate table (which size is set by certificate_cache_limit
@@ -312,7 +313,7 @@ modparam("auth_identity","accept_pem_certs",1)
No dependencies
-1.9.3. vrfy_check_certificate()
+1.9.3. vrfy_check_certificate()
Checks whether the downloaded certificate is valid (is not expired, its
subject and the domain part of the URL are the same) and adds it to
@@ -322,7 +323,7 @@ modparam("auth_identity","accept_pem_certs",1)
vrfy_get_certificate() must be called before
-1.9.4. vrfy_check_msgvalidity()
+1.9.4. vrfy_check_msgvalidity()
Assembles digest-string from the message, create SHA1 hash and compares
it with the decrypted value of Identity header.
@@ -332,7 +333,7 @@ modparam("auth_identity","accept_pem_certs",1)
vrfy_get_certificate() must be called before and
vrfy_check_certificate() should be called before
-1.9.5. vrfy_check_callid()
+1.9.5. vrfy_check_callid()
Checks whether the current call's been already processed in validity
time (set by auth_validity_time) to recognize call replay attacks. If
diff --git a/modules/auth_identity/doc/auth_identity.xml b/modules/auth_identity/doc/auth_identity.xml
index c473752..a47f5db 100644
--- a/modules/auth_identity/doc/auth_identity.xml
+++ b/modules/auth_identity/doc/auth_identity.xml
@@ -20,7 +20,7 @@
</copyright>
</sectioninfo>
- <title>Auth Identity Module</title>
+ <title>SIP Authenticated Identity Module</title>
<section>
<title>Overview</title>
@@ -47,7 +47,7 @@
<itemizedlist>
<listitem>
<para>
- authorizer and verifier support only SIP requests except for
+ authorizer and verifier support all SIP requests except for
<emphasis>CANCEL</emphasis> and <emphasis>REGISTER</emphasis>
</para>
</listitem>
@@ -79,7 +79,7 @@
</listitem>
<listitem>
<para>
- <emphasis>libcURL</emphasis> for HTTP, HTTPS functions
+ <emphasis>libcurl</emphasis> for HTTP, HTTPS functions
</para>
</listitem>
</itemizedlist>
@@ -91,11 +91,11 @@
<section id="auth_identity.install_and_run">
<title>Installation And Running</title>
<para>
- <emphasis>Authorizer</emphasis> service needs an opportunity to make the public key,
+ the <emphasis>Authorizer</emphasis> service needs to make the public key,
which conveyed in a certificate, available over HTTPS or HTTP for
verifiers. The domain the authorizer is responsible for and the
domain part of the URL of the certificate must be the same. This
- service needs its private key too.
+ service needs access to the private key too.
</para>
</section>
@@ -197,9 +197,9 @@ modparam("auth_identity","msg_timeout",600)
If a message, the auth service should authorize, contains Date header
then this function checks whether it falls in message timeout (set by
<emphasis>msg_timeout</emphasis> parameter). If there is not any Date
- header then adds one. This function also checks whether the certificate
- of auth service (set by <emphasis>certificate_path</emphasis> parameter)
- has not been expired.
+ header then the module adds one. This function also checks whether the certificate
+ of the authentication service (set by <emphasis>certificate_path</emphasis> parameter)
+ has been expired.
</para>
<section>
<title>Dependencies</title>
@@ -215,8 +215,8 @@ modparam("auth_identity","msg_timeout",600)
</title>
<para>
Assembles digest-string from the message, calculates its SHA1 hash,
- encrypt it with the private key (set by <emphasis>privatekey_path</emphasis>
- parameter) of authorizer service, base64 encodes it and adds to the
+ encrypts it with the private key (set by <emphasis>privatekey_path</emphasis>
+ parameter) of the authorizer service, base64 encodes it and adds to the
outgoing message as the value of <emphasis>Identity</emphasis> header.
This function also adds Identity-Info header which contains an URI
(set by <emphasis>certificate_url</emphasis> parameter) from which
@@ -362,7 +362,7 @@ modparam("auth_identity","certificate_cache_limit",4096)
<para>
A file of trusted certificates. The file should contain multiple
certificates in PEM format concatenated together. It could be useful
- for verifying a certificate not signed by a trusted CA.
+ for verifying a certificate signed by a private CA.
</para>
<para>
This parameter is optional. It has not got default value.