Juha Heinanen writes: > I just tried by replacing ca_list file of my proxy (that contained ca > certs of my peers) with a single bogus ca cert. Then I executed tls.cfg > and made a call from one of the peers to my proxy. My proxy still > recognized the call as coming from the peer based on its tls common > name. My understanding is that this should not have been possible if > the cached ca_list of my proxy would have been updated.
It turned out that the old tls connection from the peer to my proxy was still alive. After terminating the connection, a new connection setup was correctly refused. So looks like certs can be reloaded on the fly. I'll try later with client and server certs. -- Juha _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
