...
No Format |
---|
# ----------------- setting module-specific parameters --------------- modparam("tls", "private_key", "/etc/certs/key.pem") modparam("tls", "certificate", "/etc/certs/cert.pem") modparam("tls", "ca_list", "/etc/certs/ca_list.pem") modparam("tls", "require_certificate", 0) modparam("tls", "verify_certificate", 1) modparam("tls", "tls_method", "TLSv1") #modparam("tls", "tls_method", "SSLv23") modparam("tls", "tls_log", 2) modparam("tls", "handshake_timeout", 10) modparam("tls", "send_timeout", 10) |
If tls_log is separate control for TLS logging, If it is set to lower value then debug value tls logs are printed.
Verification
No Format |
---|
modparam("tls", "require_certificate", 0) modparam("tls", "verify_certificate", 1) |
Ser acting as TLS server sends his certificate everytime.
Require=0 and Verify=0 is the weaker weakest settings which provides just an encrypted tunnel (if cipher is not NULL)
Require=0 and Verify=1 - if TLS client provides a certificate, it is verified, this settings allow you sip clients . This setting allows your sip client without certificate to talk to SER. SER with this setting acting as TLS client send his certificate (Mutual authen tication authentication is possible). Status TLS client side verification ids Lots of information including verification status is written into select framwork.
SSL vs TLS
...
@tls select. See iptel.org tls module page.
By mean of the @tls select you can i.e. authenticate clients with client certificate. To make in larger scale you need mapping between CN and ser UID.
@tls.peer.verified is very useful in conjuction with Require=0 and Verify=1 setting. This way you check if the client presented his certificate and it was verified.
Require=1 and Verify=1 is the strongest setting that forces to provide client certificate. If it is not presented, connection fails.
SSL vs TLS
No Format |
---|
modparam("tls", "tls_method", "TLSv1")
#modparam("tls", "tls_method", "SSLv23")
|
TLSv1 is RFC3261 compliant setting but SSLv23 is better for extended compatibility. If you are sure that you neighbors are set to TLSv1 use TLSv1. TLSv1 client can make connection to SSLv23 server but SSLv23 cannot talk to TLSv1 server. Dont' forget that a new TLS connecetion from opposite site can be established during the call.
Eyebeam is TLSv1 Capable but i.e. Linksys SPA 942 need SSLv23.
...
Sample config
Sample config without registrion authentication and with tls routing to domainB (not necessary for enabling TLS for clients)
...