On 09/01/16 01:12, Juha Heinanen wrote: > Juha Heinanen writes: > >> I just tried by replacing ca_list file of my proxy (that contained ca >> certs of my peers) with a single bogus ca cert. Then I executed tls.cfg >> and made a call from one of the peers to my proxy. My proxy still >> recognized the call as coming from the peer based on its tls common >> name. My understanding is that this should not have been possible if >> the cached ca_list of my proxy would have been updated. > It turned out that the old tls connection from the peer to my proxy was > still alive. After terminating the connection, a new connection setup > was correctly refused. > > So looks like certs can be reloaded on the fly. I'll try later with > client and server certs. OK, added some notes in the docs about it.
Cheers, Daniel -- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com http://miconda.eu _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
