TLSA Module

Daniel-Constantin Mierla

   kamailio.org

   Copyright © 2021 kamailio.org
     __________________________________________________________________

   Table of Contents

   1. Admin Guide

        1. Overview

Chapter 1. Admin Guide

   Table of Contents

   1. Overview

1. Overview

   This is a pseudo module that builds TLS module compiled statically
   against libssl and libcrypto (from OpenSSL project). Its C code files
   simply include the files from TLS module, setting a different module
   name.

   It is a replacement for tls module, with the same modparams and
   functions. Just replace ' loadmodule "tls.so" ' with ' loadmodule
   "tlsa.so" ' and ' modparam("tls", ...) ' with ' modparam("tlsa", ...)
   '. See the docs of TLS module for all the details related to its
   parameters, functions, rpc commands, variables, ...

   The benefit of this module is having the libssl and libcrypto embedded
   in the module object file, thus not sharing the SSL/TLS context with
   any other modules that may link indirectly to libssl (e.g., like
   http_client that links against libcurl, which uses libssl). In this
   way, the initialization of SSL context (e.g., setting shared memory
   management functions) by tlsa module does not impact the other modules.

   Another benefit could be the ability to link a specific libssl version
   (e.g., using source build), not being bound to the version shipped with
   the operating system.

   The drawback is that updates to the libssl done via operating system
   upgrades are not reflected in the tlsa module. It has to be recompiled
   every time a new libssl version is installed and it is wanted to be
   used by tlsa module.

   NOTE: the module is known to work to be compiled with GCC on Linux
   (tested on Debian Stable 10.x). Other compilers (e.g., clang, icc) may
   not support same static linking options. Also, some operating systems
   may provide only dynamic libssl and libcrypto libraries via their
   packages.

   NOTE: edit the Makefile in the module folder and update it accordingly
   to set the path to libssl and libcrypto libraries specific to own
   system when not wanting to use "pkg-config" (e.g., when having these
   libraries compiled from sources).
