[sr-dev] git:master: tls: doc - notes about filename path
Andrei Pelinescu-Onciul
andrei at iptel.org
Tue Sep 7 19:07:22 CEST 2010
Module: sip-router
Branch: master
Commit: b690ab5236cbe209dd1d80ddcc15bc4c9053c42f
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b690ab5236cbe209dd1d80ddcc15bc4c9053c42f
Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date: Tue Sep 7 18:06:53 2010 +0200
tls: doc - notes about filename path
- notes about how filename path are resolved in function of the
first character.
- regenerated README.
---
modules/tls/README | 30 +++++++++++++++++++
modules/tls/doc/params.xml | 69 ++++++++++++++++++++++++++++++++++++++-----
2 files changed, 91 insertions(+), 8 deletions(-)
diff --git a/modules/tls/README b/modules/tls/README
index ed9004d..ac64fdc 100644
--- a/modules/tls/README
+++ b/modules/tls/README
@@ -321,6 +321,12 @@ modparam("tls", "tls_method", "TLSv1")
Sets the certificate file name. The certificate file can also contain
the private key in PEM format.
+ If the file name starts with a '.' the path will be relative to the
+ working directory (at runtime). If it starts with a '/' it will be an
+ absolute path and if it starts with anything else the path will be
+ relative to the main config file directory (e.g.: for ser -f
+ /etc/ser/ser.cfg it will be relative to /etc/ser/).
+
Warning: try not to use certificate with keys longer then 1024 bytes.
Longer keys will severely impact performance, in particular the TLS
connection rate.
@@ -336,6 +342,12 @@ modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem")
Sets the private key file name.
+ If the file name starts with a '.' the path will be relative to the
+ working directory (at runtime). If it starts with a '/' it will be an
+ absolute path and if it starts with anything else the path will be
+ relative to the main config file directory (e.g.: for ser -f
+ /etc/ser/ser.cfg it will be relative to /etc/ser/).
+
Note: the private key can be contained in the same file as the
certificate (just append it to the certificate file, e.g.: cat pkey.pem
>> cert.pem)
@@ -354,6 +366,12 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
to one of the listed CAs, the authentication will succeed. See also
verify_certificate, verify_depth and require_certificate.
+ If the file name starts with a '.' the path will be relative to the
+ working directory (at runtime). If it starts with a '/' it will be an
+ absolute path and if it starts with anything else the path will be
+ relative to the main config file directory (e.g.: for ser -f
+ /etc/ser/ser.cfg it will be relative to /etc/ser/).
+
By default the CA file is not set.
An easy way to create the CA list is to append each trusted trusted CA
@@ -782,6 +800,12 @@ modparam("tls", "tls_force_run", 11)
client) and domain basis (for now only IPs). The corresponding module
parameters will be ignored.
+ If the file name starts with a '.' the path will be relative to the
+ working directory (at runtime). If it starts with a '/' it will be an
+ absolute path and if it starts with anything else the path will be
+ relative to the main config file directory (e.g.: for ser -f
+ /etc/ser/ser.cfg it will be relative to /etc/ser/).
+
By default no config file is specified.
The following parameters can be set in the config file, for each
@@ -795,6 +819,12 @@ modparam("tls", "tls_force_run", 11)
* ca_list
* cipher_list
+ All the parameters that take filenames as values will be resolved using
+ the same rules as for the tls config filename itself: starting with a
+ '.' means relative to the working directory, a '/' means an absolute
+ path and anything else a path relative to the directory of the current
+ ser main config file.
+
SIP-router acts as a server when it accepts a connection and as a
client when it initiates a new connection by itself (it connects to
something).
diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index 7416d52..90e5020 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -62,10 +62,20 @@ modparam("tls", "tls_method", "TLSv1")
<section id="certificate">
<title><varname>certificate</varname> (string)</title>
<para>
- Sets the certificate file name. The certificate file can also contain the private key in PEM format.
+ Sets the certificate file name. The certificate file can also contain
+ the private key in PEM format.
</para>
<para>
- <emphasis>Warning:</emphasis> try not to use certificate with keys longer then 1024 bytes. Longer keys will severely impact performance, in particular the TLS connection rate.
+ If the file name starts with a '.' the path will be relative to the
+ working directory (<emphasis>at runtime</emphasis>). If it starts
+ with a '/' it will be an absolute path and if it starts with anything
+ else the path will be relative to the main config file directory
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
+ </para>
+ <para>
+ <emphasis>Warning:</emphasis> try not to use certificate with keys
+ longer then 1024 bytes. Longer keys will severely impact performance,
+ in particular the TLS connection rate.
</para>
<para>
The default value is [SER_CFG_DIR]/cert.pem.
@@ -86,7 +96,16 @@ modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem")
Sets the private key file name.
</para>
<para>
- Note: the private key can be contained in the same file as the certificate (just append it to the certificate file, e.g.: cat pkey.pem >> cert.pem)
+ If the file name starts with a '.' the path will be relative to the
+ working directory (<emphasis>at runtime</emphasis>). If it starts
+ with a '/' it will be an absolute path and if it starts with anything
+ else the path will be relative to the main config file directory
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
+ </para>
+ <para>
+ Note: the private key can be contained in the same file as the
+ certificate (just append it to the certificate file, e.g.:
+ cat pkey.pem >> cert.pem)
</para>
<para>
The default value is [SER_CFG_DIR]/cert.pem.
@@ -104,13 +123,27 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
<section id="ca_list">
<title><varname>ca_list</varname> (string)</title>
<para>
- Sets the CA list file name. This file contains a list of all the trusted CAs certificates. If a signature in a certificate chain belongs to one of the listed CAs, the authentication will succeed. See also <emphasis>verify_certificate</emphasis>, <emphasis>verify_depth</emphasis> and <emphasis>require_certificate</emphasis>.
+ Sets the CA list file name. This file contains a list of all the
+ trusted CAs certificates. If a signature in a certificate chain belongs
+ to one of the listed CAs, the authentication will succeed. See also
+ <emphasis>verify_certificate</emphasis>,
+ <emphasis>verify_depth</emphasis> and
+ <emphasis>require_certificate</emphasis>.
+ </para>
+ <para>
+ If the file name starts with a '.' the path will be relative to the
+ working directory (<emphasis>at runtime</emphasis>). If it starts
+ with a '/' it will be an absolute path and if it starts with anything
+ else the path will be relative to the main config file directory
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
</para>
<para>
By default the CA file is not set.
</para>
<para>
- An easy way to create the CA list is to append each trusted trusted CA certificate in the PEM format to one file, e.g.: for f in trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
+ An easy way to create the CA list is to append each trusted trusted CA
+ certificate in the PEM format to one file, e.g.: for f in
+ trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
</para>
<example>
<title>Set <varname>ca_list</varname> parameter</title>
@@ -760,13 +793,24 @@ modparam("tls", "tls_force_run", 11)
Sets the name of the TLS specific config file.
</para>
<para>
- If set the TLS module will load a special config file, in which different TLS parameters can be specified on a per role (server or client) and domain basis (for now only IPs). The corresponding module parameters will be ignored.
+ If set the TLS module will load a special config file, in which
+ different TLS parameters can be specified on a per role (server or
+ client) and domain basis (for now only IPs). The corresponding module
+ parameters will be ignored.
+ </para>
+ <para>
+ If the file name starts with a '.' the path will be relative to the
+ working directory (<emphasis>at runtime</emphasis>). If it starts
+ with a '/' it will be an absolute path and if it starts with anything
+ else the path will be relative to the main config file directory
+ (e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
</para>
<para>
By default no config file is specified.
</para>
<para>
- The following parameters can be set in the config file, for each domain:
+ The following parameters can be set in the config file, for each
+ domain:
</para>
<itemizedlist>
<listitem><para>tls_method</para></listitem>
@@ -779,7 +823,16 @@ modparam("tls", "tls_force_run", 11)
<listitem><para>cipher_list</para></listitem>
</itemizedlist>
<para>
- SIP-router acts as a server when it accepts a connection and as a client when it initiates a new connection by itself (it connects to something).
+ All the parameters that take filenames as values will be resolved
+ using the same rules as for the tls config filename itself: starting
+ with a '.' means relative to the working directory, a '/' means an
+ absolute path and anything else a path relative to the directory of
+ the current ser main config file.
+ </para>
+ <para>
+ SIP-router acts as a server when it accepts a connection and as a
+ client when it initiates a new connection by itself (it connects to
+ something).
</para>
<example>
<title>Short config file</title>
More information about the sr-dev
mailing list