Thanks will squash and merge.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484#issuecomment-379719270___
Kamailio (SER) - Development
OK, thanks for all those details!
I guess this can be merged if nobody else has comments.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
* About the question:
"The files tls_map.{c,h} seems to be imported from external source, being
under MIT license. tls
module seems to be under BSD, anyone knows if there is any conflict between
the two or
something needs to be mentioned in the README of the tls module?"
1. Yes - HSM private keys are stored in worker local memory and are not
referenced in old structures during SIP connections. We make one reference
during mod_child: we install it into the shmem SSL_CTX structure once (proc_no
== 0) just to check the the private key corresponds to the cert;
Just to confirm I haven't missed something -- the private keys stored in
worker-local memory refer to keeping them in the map structure you introduced
with the new files tls_map.{c,h}. They are not referenced from old structures
of the tls module, right?
I see that the define conditions are on
@miconda - do you had time to do a review as well?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484#issuecomment-377367096___
Kamailio
Packaging is here:
stretch: https://packages.debian.org/stretch/softhsm2
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://www.opendnssec.org/softhsm/ is a software based HSM
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484#issuecomment-375887257___
Thank you for the detailed explanation, I understand the problem now. Then
indeed you need a solution like you implemented. With regards to testing, is
there a way to test it also without a HSM module, or exists something like a
software "HSM" for testing?
@miconda Understood - this is a quite
Thanks for the comments - I have replaced malloc/free in the mapping utilities
with `pkg_malloc()/pkg_free()`. Re: "I did not fully understand why you need
this here, maybe you can
elaborate a bit on the requirements of the HSM child_init."
Background: For soft keys, we initialize the SSL_CTX
@aalba6675 pushed 1 commit.
c802024 tls: use pkg_* functions
--
You are receiving this because you are subscribed to this thread.
View it on GitHub:
https://github.com/kamailio/kamailio/pull/1484/files/956d0f72a970ce7c826e394c9d1431da6f167b36..c802024442fd8c3ec5190382e84430d4dd4260a0
@henningw - thanks for your review and work here! I wrote it more from the
perspective that I want to do also a deep review, because tls has some
complexity in handling all those per server attributes and I would prefer not
to break (if possible!!!). Somehow it was triggered by the reference in
Sorry for the late reply, was yesterday pretty busy as well.
Generally speaking, these are the different approaches that modules use for
data access in kamailio child processes:
* all children needs to access to a one shared data structure
Create one global structure in mod_init in
@aalba6675 pushed 1 commit.
064689c tls: add documentation for engine params
--
You are receiving this because you are subscribed to this thread.
View it on GitHub:
The feature set is generally complete now with the last commit. Just leaving
the documentation of the directives TODO
* support for OpenSSL engine and HSM keys for TLS server and client domains
* HSM private keys are stored in worker-local memory - probably this is the
most intrusive change;
@aalba6675 pushed 1 commit.
5d5aae2 tls/tls_server.c: add HSM key support in outbound connections
--
You are receiving this because you are subscribed to this thread.
View it on GitHub:
@aalba6675 pushed 1 commit.
6966c9f proof-of-concept: implement process-local storage for HSM keys
--
You are receiving this because you are subscribed to this thread.
View it on GitHub:
17 matches
Mail list logo
