Re: [reSIProcate-users] [repro-users] v1.9.0~rc1 Release Candidate available
On 22/01/14 21:47, Miguel Rios wrote:
> Ok, the webadmin is working fine now with the default admin user.
>
> Re the certificates, I'm still not really sure what's going on. I'm not
> connecting from a browser but from an Android sip client, and I have disabled
> checking client certificates in repro. The problem seems to lie solely server
> side.
>
> I have disabled loading the standard debian CA certs directory in
> /etc/ssl/certs by commenting out "CADirectory =" in repro.config.
> Instead I placed the startssl_trust_chain.pem in /etc/ssl/certs and I enabled
> it in CAFile = /etc/ssl/certs/startssl_trust_chain.pem.
>
> I still get the annoying "ssl/TlsConnection.cxx:418 | Got TLS read ret=0
> error=5 error:00000005:lib(0):func(0):DH lib - intermediate certificates may
> be missing from local PEM file" message. Hopefully it is harmless as you seem
> to indicate, although any certificate errors to me are usually a warning sign
> something is seriously wrong. However I do notice that sometimes calls fail
> and the client just hangs until I forcibly shut it down. I'll keep you posted
> if it happens again.
>
> I think the SSL/TLS handling in repro is way too confusing. You have many
> different configuration options, some of them apparently redundant, and the
> need to handle legacy naming conventions only adds to the confusing
> landscape. I suggest you think about keeping it simple by having just the
> usual cert file, private key, (optional private pass) and CA file options
> present. Just my 2 cents.
>
I'm the one responsible for adding in the new options
(TransportXTlsCertificate = XXX, etc)
When I added that, I didn't remove any of the legacy stuff because I
don't really know who is using it
It is a good topic for discussion for a future release. Now that we
have a JSON parser, I was thinking that maybe repro can have a config
file written in JSON. This would be useful for arrays of settings, such
as the transport config.