On 3/19/12 10:47 AM, Juha Heinanen wrote:
Daniel-Constantin Mierla writes:
Is this by one ca_list only, or do you have many tls domains, each with own profile?
just a single ca_list and tls domain. my tls.cfg looks like this:
[client:default] verify_certificate = yes require_certificate = yes tls_method = TLSv1 private_key = /etc/sip-proxy/certs/sip-proxy/key.pem certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem #ca_list = /etc/sip-proxy/certs/demoCA/cert.pem ca_list = /etc/ssl/certs/ca-certificates.crt
[server:default] verify_certificate = no require_certificate = no tls_method = SSLv23 private_key = /etc/sip-proxy/certs/sip-proxy/key.pem certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem #ca_list = /etc/sip-proxy/certs/demoCA/cert.pem ca_list = /etc/ssl/certs/ca-certificates.crt
sending over tls works fine if i use line
ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
where cert.pem contains just three ca certs one of them being cacert.org ca cert that i use in this test.
I guess it is loaded two time, for the server and client profiles. Try to set it via dedicated module parameter and see if you get better memory usage:
http://kamailio.org/docs/modules/stable/modules/tls.html#ca_list
Overall, libssl and tls in general are known to be very greedy with memory. Maybe Andrei or Jan are available to write more details about it, as they implemented specific parts (also workarounds for libssl bugs) of tls module.
For a heavy loaded tls sip server, lot memory is important.
Cheers, Daniel