[Devel] TLS setup

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Oct 7 16:14:24 CEST 2005 

Hi everybody,

finally the TLS proxy is up and running - just to remember what was 
about ->            
        http://www.openser.org/pipermail/users/2005-September/000953.html


The configuration is quite a simple one - it accepts exclusively 
requests over TLS and does relay based on RURI (keeping the TLS protocol).

server info: openser.org port 5061 - SRV record is also present.


The idea is to interconnect several domains via this TLS relay. If one 
of the interconnected servers has to deliver a request to another domain 
via TLS, it has just to relay it to the TLS proxy. Note that the proxy 
denies any local requests.

How to do the redirect from your script?
Before doing t_relay(), you may add something like:
    if ( uri=~".*@domain1.com" ||  uri=~".*@domain2.com") {
        avp_write("sip:openser.org;transport=tls","i:11");
        avp_pushto("$duri","i:11");
    }
via DST_URI, the TLS protocol will be forced without affecting the RURI.

Normally this logic should be totally transparent via NAPTR lookup, but 
we do not have it in OpenSER yet.


Now, about the TLS part. The TLS proxy has both tls_verify and 
tls_require_certificate enabled. For certificates there are two ways:
    1) generate your own root CA and certificate and set the CA to me to 
added to the proxy (tools available on CVS in tls/tools)
    2) ask and I will provide a certificate signed with the proxy root CA.

TLS configuration on your side:
    tls_certificate="path/cert.pem"
    tls_private_key="path/privkey.pem"
    tls_ca_list="path/calist.pem"
    tls_verify=on
    tls_require_certificate=on
    listen=tls:xxx.xxx.xxx.xxx
    tls_port_no=5061

For any other additional hints about TLS, please see the tutorial 
http://www.openser.org/docs/tls

People interested in interconnection, please join (just let me know 
which way you prefer for certificates).
First domain connected to the proxy is siphub.net - it's a local 
platform we are using.

regards,
bogdan


PS: if there are people interested in testing SIP UA with TLS, let me 
know and I can add registrar support. Also, if somebody has ideas how to 
enhance the proxy config, feel free....

More information about the Devel mailing list