@@ -1,4 +1,4 @@

-docs = tls.xml

+docs = tls_wolfssl.xml

 docbook_dir = ../../../../doc/docbook

 include $(docbook_dir)/Makefile.module

deleted file mode 100644

@@ -1,154 +0,0 @@

-<?xml version="1.0" encoding='ISO-8859-1'?>

-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"

-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [

-

-<!-- Include general documentation entities -->

-<!ENTITY % docentities SYSTEM "../../../../doc/docbook/entities.xml">

-%docentities;

-

-]>

-

-<section id="tls.certs_howto" xmlns:xi="http://www.w3.org/2001/XInclude">

-    <sectioninfo>

-    </sectioninfo>

-

-	<title>Quick Certificate Howto</title>

-		<para>

-			There are various ways to create, sign certificates and manage small CAs (Certificate Authorities).

-			If you are in a hurry and everything you have are the installed OpenSSL libraries and utilities, read on.

-		</para>

-		<para>

-			Assumptions: we run our own CA.

-		</para>

-		<para>

-			Warning: in this example no key is encrypted. The client and server private keys must not be encrypted

-			(&kamailio; doesn't support encrypted keys), so make sure the corresponding files are readable only by

-			trusted people. You should use a password to protect your CA private key.

-		</para>

-		<para>

-		<programlisting>

-Assumptions

-

-The default openssl configuration (usually /etc/ssl/openssl.cnf)

-default_ca section is the one distributed with openssl and uses the default

-directories:

-

-...

-

-default_ca      = CA_default            # The default ca section

-

-[ CA_default ]

-

-dir             = ./demoCA              # Where everything is kept

-certs           = $dir/certs            # Where the issued certs are kept

-crl_dir         = $dir/crl              # Where the issued crl are kept

-database        = $dir/index.txt        # database index file.

-#unique_subject = no                    # Set to 'no' to allow creation of

-                                        # several certificates with same subject.

-new_certs_dir   = $dir/newcerts         # default place for new certs.

-

-certificate     = $dir/cacert.pem       # The CA certificate

-serial          = $dir/serial           # The current serial number

-crlnumber       = $dir/crlnumber        # the current CRL number

-crl             = $dir/crl.pem          # The current CRL

-private_key     = $dir/private/cakey.pem# The private key

-RANDFILE        = $dir/private/.rand    # private random number file

-

-...

-

-If this is not the case create a new OpenSSL config file that uses the above

-paths for the default CA and add to all the openssl commands:

- -config filename. E.g.:

-	openssl ca -config my_openssl.cnf -in kamailio1_cert_req.pem -out kamailio1_cert.pem

-

-

-Creating the CA certificate

-1. Create the CA directory

-	mkdir ca

-	cd ca

-	

-2. Create the CA directory structure and files  (see ca(1))

-	mkdir demoCA 		#default CA name, edit /etc/ssl/openssl.cnf

-	mkdir  demoCA/private

-	mkdir demoCA/newcerts

-	touch demoCA/index.txt

-	echo 01 >demoCA/serial

-	echo 01 >demoCA/crlnumber

-	

-2. Create CA private key

-	openssl genrsa -out demoCA/private/cakey.pem 2048

-	chmod 600 demoCA/private/cakey.pem

-	

-3. Create CA self-signed certificate

-	openssl req -out demoCA/cacert.pem   -x509 -new -key demoCA/private/cakey.pem

-

-

-Creating a server/client TLS certificate

-1. Create a certificate request (and its private key in privkey.pem)

-

-	openssl req -out kamailio1_cert_req.pem -new -nodes

-

-	WARNING: the organization name should be the same as in the CA certificate.

-	

-2. Sign it with the CA certificate

-	openssl ca -in kamailio1_cert_req.pem -out kamailio1_cert.pem

-	

-3. Copy kamailio1_cert.pem to your &kamailio; configuration dir

-

-

-Setting &kamailio; to use the TLS certificate

-1. Create the CA list file:

-	for each of your CA certificates that you intend to use do:

-		cat cacert.pem >>calist.pem

-	

-2. Copy your &kamailio; certificate, private key and ca list file to your 

-	intended machine (preferably in your &kamailio; configuration directory,

-	 this is the default place &kamailio; searches for).

-	

-3. Set up &kamailio;.cfg to use the certificate

-	if your &kamailio; certificate name is different from cert.pem or it is not

-	placed in &kamailio; cfg. directory, add to your kamailio.cfg:

-		modparam("tls", "certificate", "/path/cert_file_name")

-	

-4. Set up &kamailio; to use the private key

-	if your private key is not contained in the same file as the certificate

-	(or the certificate name is not the default cert.pem), add to your

-	 &kamailio;.cfg:

-		modparam("tls", "private_key", "/path/private_key_file")

-	

-5. Set up &kamailio; to use the CA list (optional)

-   The CA list is not used for your server certificate - it's used to approve other servers

-   and clients connecting to your server with a client certificate or for approving

-   a certificate used by a server your server connects to.

-	add to your &kamailio;.cfg:

-		modparam("tls", "ca_list", "/path/ca_list_file")

-	

-6. Set up TLS authentication options:

-		modparam("tls", "verify_certificate", 1)

-		modparam("tls", "require_certificate", 1) 

-	(for more information see the module parameters documentation)

-

-

-Revoking a certificate and using a CRL

-1. Revoking a certificate:

-	openssl ca -revoke bad_cert.pem

-	

-2. Generate/update the certificate revocation list:

-	openssl ca -gencrl -out my_crl.pem

-	

-3. Copy my_crl.pem to your &kamailio; config. dir

-	

-4. Set up &kamailio; to use the CRL:

-		modparam("tls", "crl", "path/my_crl.pem")

-

-

-		</programlisting>

-		</para>

-

-

-</section>

deleted file mode 100644

@@ -1,38 +0,0 @@

-<?xml version="1.0" encoding='ISO-8859-1'?>

-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"

-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [

-

-<!-- Include general documentation entities -->

-<!ENTITY % docentities SYSTEM "../../../../doc/docbook/entities.xml">

-%docentities;

-

-]>

-

-<section id="tls.status">

-	<title>Status</title>

-	<section id="tls.license">

-	<title>License</title>

-		<para>

-			Most of the code for this module has been released under BSD by

-			iptelorg. The GPL parts are released with an exception to link

-			with OpenSSL toolkit software components.

-		</para>

-	</section>

-	<section id="tls.history">

-	<title>History</title>

-		<para>

-			For version 3.1 most of the TLS specific code was completely

-			re-written to add support for asynchronous TLS and fix several

-			long standing bugs.

-		</para>

-		<para>

-			The code is currently maintained by Andrei Pelinescu-Onciul

-			<email>andrei@iptel.org</email>.

-		</para>

-		<para>

-			Install does not generate self-signed certificates by default

-			anymore. In order to generate them now you should do

-			"make install-tls-cert"

-		</para>

-	</section>

-</section>

deleted file mode 100644

@@ -1,64 +0,0 @@

-<?xml version="1.0" encoding='ISO-8859-1'?>

-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"

-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [

-

-<!-- Include general documentation entities -->

-<!ENTITY % docentities SYSTEM "../../../../doc/docbook/entities.xml">

-%docentities;

-

-]>

-

-<section id="tls.hsm_howto" xmlns:xi="http://www.w3.org/2001/XInclude">

-    <sectioninfo>

-    </sectioninfo>

-

-	<title>HSM Howto</title>

-		<para>

-			This documents OpenSSL engine support for private keys in HSM. 

-		</para>

-		<para>

-		        Assumptions: an OpenSSL engine configured with private key. We still require the certificate file

-			and list of CA certificates per a regular TLS configuration.

-		</para>

-		<para>

-		<programlisting>

-Thales Luna Example

-

-...

-# Example for Thales Luna

-modparam("tls", "engine", "gem")

-modparam("tls", "engine_config", "/usr/local/etc/kamailio/thales.cnf")

-modparam("tls", "engine_algorithms", "EC")

-...

-

-/usr/local/etc/kamailio/thales.cnf is a OpenSSL config format file used to

-bootstrap the engine, e.g., pass the PIN.

-

-...

-# the key kamailio is mandatory

-kamailio = openssl_init

-

-[ openssl_init ]

-engines = engine_section

-

-[ engine_section ]

-# gem is the name of the Thales Luna OpenSSL engine

-gem = gem_section

-

-[ gem_section ]

-# from Thales documentation

-dynamic_path = /usr/lib64/engines-1.1/gem.so

-ENGINE_INIT = 0:20:21:password=1234-ABCD-5678-EFGH

-...

-

-

-Thales nShield Connect

-

-Place holder

-		</programlisting>

-		</para>

-

-

-</section>

deleted file mode 100644

@@ -1,1410 +0,0 @@

-<?xml version="1.0" encoding="UTF-8"?>

-<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"

-		"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

-	[<!-- Include general documentation entities -->

-	 <!ENTITY % docentities SYSTEM "../../../../doc/docbook/entities.xml">

-	 %docentities;

-	]

->

-

-<section id="tls.parameters">

-    <sectioninfo>

-    </sectioninfo>

-

-    <title>Parameters</title>

-

-	<section id="tls.p.tls_method">

-	<title><varname>tls_method</varname> (string)</title>

-	<para>

-		Sets the TLS protocol method. Possible values are:

-	</para>

-	<itemizedlist>

-			<listitem>

-				<para>

-				<emphasis>TLSv1.2+</emphasis> - TLSv1.2 or newer (TLSv1.3, ...)

-				connections are accepted (available starting with openssl/libssl v1.1.1)

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>TLSv1.2</emphasis> - only TLSv1.2 connections are accepted

-				(available starting with openssl/libssl v1.0.1e)

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>TLSv1.1+</emphasis> - TLSv1.1 or newer (TLSv1.2, ...)

-				connections are accepted (available starting with openssl/libssl v1.0.1)

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>TLSv1.1</emphasis> - only TLSv1.1 connections are accepted

-				(available starting with openssl/libssl v1.0.1)

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>TLSv1+</emphasis> - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...)

-				connections are accepted.

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>TLSv1</emphasis> - only TLSv1 (TLSv1.0) connections are

-				accepted. This is the default value.

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted.

-				Note: you shouldn't use SSLv3 for anything which should be secure.

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>SSLv2</emphasis> - only SSLv2 connections, for old clients.

-				Note: you shouldn't use SSLv2 for anything which should be secure.

-				Newer versions of OpenSSL libraries don't include support for it anymore.

-				</para>

-			</listitem>

-			<listitem>

-				<para>

-				<emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 or

-				newer methods will be accepted.

-				</para>

-				<para>

-				From the OpenSSL manual: "A TLS/SSL connection established with these

-				methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.

-				If extensions are required (for example server name) a client will

-				send out TLSv1 client hello messages including extensions and will

-				indicate that it also understands TLSv1.1, TLSv1.2 and permits a

-				fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1

-				and TLSv1.2 protocols. This is the best choice when compatibility

-				is a concern."

-				</para>

-				<para>

-				Note: For older OpenSSL library versions, this option allows SSLv2, with hello

-				messages done over SSLv2. You shouldn't use SSLv2 or SSLv3 for anything

-				which should be secure.

-				</para>

-			</listitem>

-	</itemizedlist>

-	<para>

-		If RFC 3261 conformance is desired, at least TLSv1 must be used. For

-		compatibility with older clients SSLv23 is the option, but again, be aware

-		of security concerns, SSLv2/3 being considered very insecure by 2014.

-		For current information about what's considered secure, please consult,

-		IETF BCP 195, currently RFC 7525  - "Recommendations for Secure Use of 

-		Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"

-	</para>

-	<example>

-	    <title>Set <varname>tls_method</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "tls_method", "TLSv1")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.certificate">

-	<title><varname>certificate</varname> (string)</title>

-	<para>

-		Sets the certificate file name. The certificate file can also contain

-		the private key in PEM format.

-	</para>

-	<para>

-		If the file name starts with a '.' the path will be relative to the

-		working directory (<emphasis>at runtime</emphasis>). If it starts

-		with a '/' it will be an absolute path and if it starts with anything

-		else the path will be relative to the main config file directory

-		(e.g.: for kamailio -f /etc/kamailio/kamailio.cfg it will be relative to /etc/kamailio/).

-	</para>

-	<para>

-		The default value is &kamailioconfdir;/cert.pem

-	</para>

-	<example>

-	    <title>Set <varname>certificate</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "certificate", "/usr/local/etc/kamailio/my_certificate.pem")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.private_key">

-	<title><varname>private_key</varname> (string)</title>

-	<para>

-		Sets the private key file name. The private key can be in the same

-		file as the certificate or in a separate file, specified by this

-		configuration parameter.

-	</para>

-	<para>

-		If the file name starts with a '.' the path will be relative to the

-		working directory (<emphasis>at runtime</emphasis>). If it starts

-		with a '/' it will be an absolute path and if it starts with anything

-		else the path will be relative to the main config file directory

-		(e.g.: for kamailio -f /etc/kamailio/kamailio.cfg it will be relative to /etc/kamailio/).

-	</para>

-	<para>

-		Note: the private key can be contained in the same file as the

-		certificate (just append it to the certificate file, e.g.:

-		cat pkey.pem >> cert.pem)

-	</para>

-	<para>

-		The default value is &kamailioconfdir;/cert.pem

-	</para>

-	<example>

-	    <title>Set <varname>private_key</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "private_key", "/usr/local/etc/kamailio/my_pkey.pem")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.ca_list">

-	<title><varname>ca_list</varname> (string)</title>

-	<para>

-		Sets the CA list file name. This file contains a list of all the

-		trusted CAs certificates used when connecting to other SIP implementations.

-		If a signature in a certificate chain belongs

-		to one of the listed CAs, the verification of that certificate will succeed.

-	</para>

-	<para>

-		If the file name starts with a '.' the path will be relative to the

-		working directory (<emphasis>at runtime</emphasis>). If it starts

-		with a '/' it will be an absolute path and if it starts with anything

-		else the path will be relative to the main config file directory

-		(e.g.: for kamailio -f /etc/kamailio/kamailio.cfg it will be relative to /etc/kamailio/).

-	</para>

-	<para>

-		By default the CA file is not set.

-	</para>

-	<para>

-		An easy way to create the CA list is to append each trusted trusted CA

-		certificate in the PEM format to one file, e.g.:

-	    <programlisting>

-for f in trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done 

-	    </programlisting>

-	</para>

-	<para>

-		See also

-		<emphasis>verify_certificate</emphasis>,

-		<emphasis>verify_depth</emphasis>,

-		<emphasis>require_certificate</emphasis> and

-		<emphasis>crl</emphasis>.

-	</para>

-	<example>

-	    <title>Set <varname>ca_list</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "ca_list", "/usr/local/etc/kamailio/ca_list.pem")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.ca_path">

-	<title><varname>ca_path</varname> (str)</title>

-	<para>

-		Sets the path with the trusted CA files, to be given as parameter

-		SSL_CTX_load_verify_locations(). The certificates in ca_path are only

-		looked up when required, e.g. when building the certificate chain

-		or when actually performing the verification of a peer certificate. They

-		are not given to the client (not loaded to be provided to

-		SSL_CTX_set_client_CA_list()), only the ones in ca_list files are sent

-		to the client. It requires to use c_rehash to generate the hash map

-		for certificate search, for more see the manual of libssl for

-		SSL_CTX_load_verify_locations() function.

-	</para>

-	<para>

-		By default it is not set.

-	</para>

-	<example>

-	    <title>Set <varname>ca_path</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "ca_path", "/usr/local/etc/kamailio/ca")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.crl">

-	<title><varname>crl</varname> (string)</title>

-	<para>

-		Sets the certificate revocation list (CRL) file name. This file contains a

-		list of revoked certificates. Any attempt to verify a revoked

-		certificate will fail.

-	</para>

-	<para>

-		If not set, no CRL list will be used.

-	</para>

-	<para>

-		If the file name starts with a '.' the path will be relative to the

-		working directory (<emphasis>at runtime</emphasis>). If it starts

-		with a '/' it will be an absolute path and if it starts with anything

-		else the path will be relative to the main config file directory

-		(e.g.: for kamailio -f /etc/kamailio/kamailio.cfg it will be relative to /etc/kamailio/).

-	</para>

-	<note><para>

-		If set, <varname>require_certificate</varname> should also be set

-		or it will not have any effect.

-	</para></note>

-	<para>

-		By default the CRL file name is not set.

-	</para>

-	<para>

-		To update the CRL in a running &kamailio;, make sure you configure TLS

-		via a separate TLS config file

-		(the <varname>config</varname> modparam) and issue a tls.reload

-		RPC call, e.g.:

-		<programlisting>

- $ &sercmd; tls.reload

-		</programlisting>

-	</para>

-	<para>

-		A quick way to create the CRL in PEM format, using OpenSSL is:

-		<programlisting>

- $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem

-		</programlisting>

-		 my_crl.pem will contain the signed list of the revoked certificates.

-	</para>

-	<para>

-		To revoke a TLS certificate use something like:

-		<programlisting>

- $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem

-		</programlisting>

-		and then refresh the crl file using the command above.

-	</para>

-	<para>

-		To display the CRL contents use:

-		<programlisting>

- $ openssl crl -in crl.pem -noout -text

-		</programlisting>

-	</para>

-	<para>

-		See also

-		<emphasis>ca_list</emphasis>,

-		<emphasis>verify_certificate</emphasis>,

-		<emphasis>verify_depth</emphasis> and

-		<emphasis>require_certificate</emphasis>.

-	</para>

-	<example>

-	    <title>Set <varname>crl</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "crl", "/usr/local/etc/kamailio/crl.pem")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-<section id="tls.p.verify_certificate">

-	<title><varname>verify_certificate</varname> (boolean)</title>

-	<para>

-		If enabled it will force certificate verification when connecting to 

-		other SIP servers..

-		For more information see the

-		<ulink url="https://www.openssl.org/docs/manmaster/man1/verify.html">verify(1)</ulink>

-		OpenSSL man page.

-	</para>

-	<para>

-		Note: the certificate verification will always fail if the ca_list is empty.

-	</para>

-	<para>

-		See also: <varname>ca_list</varname>, <varname>require_certificate</varname>, <varname>verify_depth</varname>.

-	</para>

-	<para>

-		By default the certificate verification is off.

-	</para>

-	<example>

-	    <title>Set <varname>verify_certificate</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "verify_certificate", 1)

-...

-	    </programlisting>

-	</example>

-	</section>

-

-<section id="tls.p.verify_depth">

-	<title><varname>verify_depth</varname> (integer)</title>

-	<para>

-		Sets how far up the certificate chain will the certificate verification go in the search for a trusted CA.

-	</para>

-	<para>

-		See also: <varname>ca_list</varname>, <varname>require_certificate</varname>, <varname>verify_certificate</varname>,

-	</para>

-	<para>

-		The default value is 9.

-	</para>

-	<example>

-	    <title>Set <varname>verify_depth</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "verify_depth", 9)

-...

-	    </programlisting>

-	</example>

-	</section>

-

-<section id="tls.p.require_certificate">

-	<title><varname>require_certificate</varname> (boolean)</title>

-	<para>

-		When enabled &kamailio; will require a certificate from a client

-		connecting to the TLS port. If the client does not offer a certificate

-		and <varname>verify_certificate</varname> is on, certificate verification will fail.

-	</para>

-	<para>

-		The default value is off.

-	</para>

-	<example>

-	    <title>Set <varname>require_certificate</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "require_certificate", 1)

-...

-	    </programlisting>

-	</example>

-	</section>

-

-<section id="tls.p.cipher_list">

-	<title><varname>cipher_list</varname> (string)</title>

-	<para>

-		Sets the list of accepted ciphers. The list consists of cipher strings separated by colons.

-		For more information on the cipher list format see the

-		<ulink url="https://www.openssl.org/docs/manmaster/man1/ciphers.html">

-		cipher(1)</ulink> OpenSSL man page.

-	</para>

-	<para>

-		The default value is not set (all the OpenSSL supported ciphers are enabled).

-	</para>

-	<example>

-	    <title>Set <varname>cipher_list</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "cipher_list", "HIGH")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.server_name">

-	<title><varname>server_name</varname> (string)</title>

-	<para>

-		Sets the Server Name Indication (SNI) value.

-	</para>

-	<para>

-		This is a TLS extension enabling one TLS server to serve multiple host

-		names with unique certificates.

-	</para>

-	<para>

-		The default value is empty (not set).

-	</para>

-	<example>

-	    <title>Set <varname>server_name</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "server_name", "kamailio.org")

-...

-	    </programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.connection_timeout">

-	<title><varname>connection_timeout</varname> (int)</title>

-	<para>

-		Sets the amount of time after which an idle TLS connection will be

-		closed, if no I/O ever occurred after the initial open. If an I/O event

-		occurs, the timeout will be extended with tcp_connection_lifetime.

-		The value is expressed in seconds.

-	</para>

-	<para>

-		The default value is 10 min.

-	</para>

-	<para>

-		If the value set is -1, the connection will never be close on idle.

-	</para>

-	<para>

-		This setting can be changed also at runtime, via the RPC interface and config

-		framework. The config variable name is

-		<emphasis>tls.connection_timeout</emphasis>.

-	</para>

-	<example>

-	    <title>Set <varname>connection_timeout</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "connection_timeout", 60)

-...

-	    </programlisting>

-	</example>

-	<example>

-		<title>Set <varname>tls.connection_timeout</varname> at runtime</title>

-		<programlisting>

- $ &sercmd; cfg.set_now_int tls connection_timeout 180

-		</programlisting>

-	</example>

-	</section>

-

-	<section id="tls.p.tls_disable_compression">

-	<title><varname>tls_disable_compression</varname> (boolean)</title>

-	<para>

-		If set compression over TLS will be disabled.

-		Note that compression uses a lot of memory (about 10x more then with

-		the compression disabled), so if you want to minimize

-		memory usage is a good idea to disable it. TLS compression also 

-		expose you for the 

- 		<ulink url="https://en.wikipedia.org/wiki/CRIME_(security_exploit)">

-		CRIME</ulink> security vulnerability.

-	</para>

-	<para>

-		By default TLS compression is disabled.

-	</para>

-	<example>

-	    <title>Set <varname>tls_disable_compression</varname> parameter</title>

-	    <programlisting>

-...

-modparam("tls", "tls_disable_compression", 0) # enable

-...

-	    </programlisting>

-	</example>

-	</section>

-

-

-<section id="tls.p.ssl_release_buffers">

-	<title><varname>ssl_release_buffers</varname> (integer)</title>

-	<para>

-		Release internal OpenSSL read or write buffers as soon as they are

-		no longer needed. Combined with

-		<varname>ssl_freelist_max_len</varname> has the potential of saving

-		a lot of memory ( ~ 32k per connection in the default configuration,

-		or 16k + <varname>ssl_max_send_fragment</varname>).

-		For &kamailio; versions > 3.0 it makes little sense to disable it (0)

-		since the tls module already has its own internal buffering.

-	</para>

-	<para>

-		A value of -1 would not change this option from its openssl default.

-		Use 0 or 1 for enable/disable.

-	</para>

-	<para>

-		By default the value is 1 (enabled).

-	</para>

-	<note>

-		<para>

-			This option is supported only for

-			OpenSSL versions >= <emphasis>1.0.0</emphasis>.

-			On all the other versions attempting

-			to change the default will trigger an error.

-		</para>

-	</note>

-	<example>

-	    <title>Set <varname>ssl_release_buffers</varname> parameter</title>

-	    <programlisting>

-modparam("tls", "ssl_release_buffers", 1)

-	    </programlisting>

-	</example>

-	</section>

-

-

-<section id="tls.p.ssl_freelist_max_len">

-	<title><varname>ssl_freelist_max_len</varname> (integer)</title>

-	<para>

-		Sets the maximum number of free memory chunks, that OpenSSL will keep

-		per connection. Setting it to 0 would cause any unused memory chunk

-		to be immediately freed, reducing the memory footprint. A too large

-		value would result in extra memory consumption.

-	</para>

-	<para>

-		Should be combined with <varname>ssl_release_buffers</varname>.

-	</para>

-	<para>

-		A value of -1 has a special meaning: the OpenSSL default will be used

-		(no attempt on changing the value will be made). For OpenSSL 1.0

-		the internal default is 32.

-	</para>

-	<para>

-		By default the value is 0 (no freelist).

-	</para>

-	<note>

-		<para>

-			This option is supported only for

-			OpenSSL versions >= <emphasis>1.0.0</emphasis>.

-			On all the other versions attempting

-			to change the default will trigger an error.

-		</para>

-	</note>

-	<example>

-		<title>Set <varname>ssl_freelist_max_len</varname> parameter</title>

-		<programlisting>

-modparam("tls", "ssl_freelist_max_len", 0)

-		</programlisting>

-	</example>

-	</section>

-

-

-<section id="tls.p.ssl_max_send_fragment">

-	<title><varname>ssl_max_send_fragment</varname> (integer)</title>

-	<para>

-		Sets the maximum number of bytes (from the clear text) sent into

-		one TLS record. Valid values are between 512 and 16384.

-		Note however that even valid low values might not be big enough to

-		allow a successful handshake (try minimum 1024).

-	</para>

-	<para>

-		Lower values would lead to less memory usage, but values lower then

-		the typical &kamailio; write size would incur a slight performance

-		penalty. Good values are bigger then the  size of the biggest

-		SIP packet one normally expects to forward. For example in most

-		setups 2048 would be a good value.

-	</para>

-	<note>

-		<para>

-			Values on the lower side, even if valid (> 512), might not allow

-			for a successful initial handshake. This happens if the

-			certificate does not fit inside one send fragment.

-			Values lower then 1024 should not be used.

-			Even with higher values, if the handshake fails,

-			try increasing the value.

-		</para>

-	</note>

-	<para>

-		A value of -1 has a special meaning: the OpenSSL default will be used

-		(no attempt on changing the value will be made).

-	</para>

-	<para>

-		By default the value is -1 (the OpenSSL default, which at least in

-		OpenSSL 1.0.0 is ~ 16k).

-	</para>

-	<note>

-		<para>

-			This option is supported only for

-			OpenSSL versions >= <emphasis>0.9.9</emphasis>.

-			On all the other versions attempting

-			to change the default will trigger an error.

-		</para>

-	</note>

-	<example>

-		<title>Set <varname>ssl_max_send_fragment</varname> parameter</title>

-		<programlisting>

-modparam("tls", "ssl_max_send_fragment", 4096)

-		</programlisting>

-	</example>

-	</section>

-

-

-<section id="tls.p.ssl_read_ahead">

-	<title><varname>ssl_read_ahead</varname> (boolean)</title>

-	<para>

-		Enables read ahead, reducing the number of internal OpenSSL BIO read()

-		calls. This option has only debugging value, in normal circumstances

-		it should not be changed from the default.

-	</para>

-	<para>

-		When disabled OpenSSL will make at least 2 BIO read() calls per

-		received record: one to get the record header and one to get the

-		rest of the record.

-	</para>