while doing some tls tests, i noticed that if tls.cfg has a section like this
[server:default] verify_certificate = no require_certificate = no tls_method = SSLv23 private_key = /etc/sip-proxy/certs/sip-proxy/key.pem certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem ca_list = /etc/ssl/certs/cacert.org.pem
then client does not give its certificate to kamailio server during tls connection setup even if it had one.
if i specify:
require_certificate = no
then client sends its certificate to kamailio server, but if another client does not have a client certificate, then it cannot connect at all.
one way to solve this would be making kamailio listen on two tls ports, one for clients that are required to present a a certificate and another port for clients that do not have a certificate.
unfortunately, it is not possible to add a mask to ip address in tls.cfg section like this:
[server:0.0.0.0/0:5062]
does anyone have a solution to this problem (other that running two kamailio instances)?
-- juha