On 3/19/12 10:47 AM, Juha Heinanen wrote:
Daniel-Constantin Mierla writes:
Is this by one ca_list only, or do you have many tls domains, each with
own profile?
just a single ca_list and tls domain. my tls.cfg looks like this:
[client:default]
verify_certificate = yes
require_certificate = yes
tls_method = TLSv1
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
#ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
[server:default]
verify_certificate = no
require_certificate = no
tls_method = SSLv23
private_key = /etc/sip-proxy/certs/sip-proxy/key.pem
certificate = /etc/sip-proxy/certs/sip-proxy/cert.pem
#ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
sending over tls works fine if i use line
ca_list = /etc/sip-proxy/certs/demoCA/cert.pem
where cert.pem contains just three ca certs one of them being cacert.org
ca cert that i use in this test.
I guess it is loaded two time, for the server and client profiles. Try
to set it via dedicated module parameter and see if you get better
memory usage:
http://kamailio.org/docs/modules/stable/modules/tls.html#ca_list
Overall, libssl and tls in general are known to be very greedy with
memory. Maybe Andrei or Jan are available to write more details about
it, as they implemented specific parts (also workarounds for libssl
bugs) of tls module.
For a heavy loaded tls sip server, lot memory is important.
Cheers,
Daniel
--
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
http://www.asipto.com/index.php/kamailio-advanced-training/
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
