Versions Compared

Old Version 3

changes.mady.by.user Unknown User (erik)

Saved on

compared with

New Version 4

changes.mady.by.user Unknown User (erik)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We enable end-users of domain A to communicate with end-users in domain B over their home proxy to the proxy of domain B. All connections use TLSbased on TLS:

      User Agent A  ->  proxy domainA 

Prerequisites (OS, dependencies on other software)

  • Debian 4r14r0
  • OpenSER version 1.2 with tls

Configuration  

OpenSER proxy configuration:

...


  • If TLS support is not included in your installation, get OpenSER 1.2 with TLS. This example uses the source code at http://www.openser.org/pub/openser/latest/src/openser-1.2.0-tls_src.tar.gzImage Added
  • Carefully observe the installation notes: http://www.openser.org/mos/view/-OpenSER-Installation-Notes/Image Added
  • Special care should be taken to install the packages:
  • mysql-server
  • libmysqlclient-dev
  • libssl0.9.8-dev
  • Make sure you build openser including TLS. There are several options, like changing the line in the makefile to the following:
    TLS=1
    and that you include mysql support:
    make all include_modules="mysql"
    make install
  • note that the compiled version puts openser in different directory compared to the openser package. The config file is in
    /usr/local/etc/openser/openser.cfg
    and the modules are in
    /usr/local/lib/openser/modules
    and the certificate information is in
    /usr/local/etc/openser/tls/user 
  • run mysqldb.sh to create the database
  •  add the certificate chain of the other proxy in PEM format to the CA list file in /usr/local/etc/openser/user/user-calist.pem. You can open the file in a text editor and add the certificate string at the end of the file. 
  • add routing logic in the openser.cfg file:
No Format

        # check for requests targeted out of our domain
        if (!uri==myself) {
                # mark routing logic in request
                append_hf("P-hint: outbound\r\n");
                # destination DomainA
                if(uri=~"@domainA.net") {
                        t_relay("tls:sipserver.domainA.net:5061");
                        xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru  FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n");
                        exit;
                }
                route(1);
        };

...

Test
Make sure that the certificate chain (CA list) is installed on the UA. For instance, when using Eyebeam 1.5 under MS Windows, import the chain (in PEM format with file extension .cer) into the windows certificate store by double clicking.
Configure a UA to use TLS. Under MS Windows, good examples are Eyebeam 1.5 or Phoner. Make sure to choose 'TLS' as the protocol in the settings and register with the proxy. Use the diagnostic tools of the UA to see if any problems occur. Common problems are:
  • Invalid TLS version: though TLS 1.0 should be used according to the SIP RFC, TLS 2/3 is supported by both proxies and UAs
  • Client certificate verification should be disabled
  • CA certificate cannot be verified
  • Common name of the server certificate does not match DNS name of the server

OS specific help
Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.