Module: kamailio Branch: master Commit: b08df6d531513ecf472f4642ddf180bffac46f58 URL: https://github.com/kamailio/kamailio/commit/b08df6d531513ecf472f4642ddf180b… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2018-09-27T12:20:39+02:00 tls: updates to overview section - GH #531 --- Modified: src/modules/tls/doc/functions.xml Modified: src/modules/tls/doc/tls.xml --- Diff: https://github.com/kamailio/kamailio/commit/b08df6d531513ecf472f4642ddf180b… Patch: https://github.com/kamailio/kamailio/commit/b08df6d531513ecf472f4642ddf180b… --- diff --git a/src/modules/tls/doc/functions.xml b/src/modules/tls/doc/functions.xml index 1f3116f26d..2a371de8f1 100644 --- a/src/modules/tls/doc/functions.xml +++ b/src/modules/tls/doc/functions.xml @@ -18,16 +18,18 @@ <title><function>is_peer_verified()</function></title> <para> Returns true if the connection on which the message was received - is TLS , the peer presented an X509 certificate and the + is TLS, the peer presented an X509 certificate and the certificate chain verified ok. + </para> + <para> It can be used only in a request route. </para> <example> <title><function>is_peer_verified</function> usage</title> <programlisting> - if (proto==TLS &amp;&amp; !is_peer_verified()){ + if (proto==TLS &amp;&amp; !is_peer_verified()) { sl_send_reply("400", "No certificate or verification failed"); - drop; + exit; } </programlisting> </example> diff --git a/src/modules/tls/doc/tls.xml b/src/modules/tls/doc/tls.xml index f5337baaf9..8147208f70 100644 --- a/src/modules/tls/doc/tls.xml +++ b/src/modules/tls/doc/tls.xml @@ -68,27 +68,41 @@ <section id="tls.quick_start"> <title>Quick Start</title> <para> - Make sure you have a proper certificate and private key and either - use the <varname>certificate</varname> and <varname>private_key</varname> - module parameters, or make sure the certificate and key are in the same PEM file, - named <emphasis>cert.pem</emphasis> an placed in [your-cfg-install-prefix]/etc/kamailio/. - Don't forget to load the tls module and to enable TLS - (add <emphasis>enable_tls=yes</emphasis> to your config). + The default kamailio.cfg file has basic tls support included, it has to + be enabled with "#!define WITH_TLS" directive. + </para> + <para> + The most important parameters to set the path to the public certificate and private key + files. You can either have them in different file or in the same file in PEM format. + The parameters for them are <varname>certificate</varname> and <varname>private_key</varname>. + They can be given as modparam or or provided in the profiles of tls.cfg file. + </para> + <para> + When installing tls module of kamailio, a sample 'tls.cfg' file is deployed in the same + folder with 'kamailio.cfg', along with freshly generated self signed certificates. + </para> + <para> + HINT: be sure you have <emphasis>enable_tls=yes</emphasis> to your kamailio.cfg. </para> <example> - <title>Quick start config</title> + <title>Quick Start Basic Config</title> <programlisting> #... -loadmodule "modules/tls/tls.so" +loadmodule "sl.so" +loadmodule "tls.so" -modparam("tls", "private_key", "./andrei-test.pem") -modparam("tls", "certificate", "./andrei-test.pem") +modparam("tls", "private_key", "./server-test.pem") +modparam("tls", "certificate", "./server-test.pem") modparam("tls", "ca_list", "./calist.pem") enable_tls=yes -route{ - # .... +request_route { + if(proto != TLS) { + sl_send_reply("403", "Accepting TLS Only"); + exit; + } + ... } </programlisting> </example>