Versions Compared

Old Version 4

changes.mady.by.user Unknown User (jan)

Saved on

compared with

New Version 5

changes.mady.by.user Unknown User (jan)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
make group_include="standard" include_modules="tls" print-modules

Configuration  

Edit your ser.cfg
Enable TLS and define the address and port where TLS will be listening

No Format

# ----------- global configuration parameters ------------------------
enable_tls=yes
listen=tls:1.2.3.4:5061

Load the module

No Format

# ------------------ module loading ----------------------------------
loadmodule "/usr/local/lib/ser/modules/tls.so"

Set the parameters

No Format

# ----------------- setting module-specific parameters ---------------
modparam("tls", "private_key", "/etc/certs/key.pem")
modparam("tls", "certificate", "/etc/certs/cert.pem")
modparam("tls", "ca_list", "/etc/certs/ca_list.pem")

modparam("tls", "require_certificate", 0)
modparam("tls", "verify_certificate", 1)

modparam("tls", "tls_method", "TLSv1")
#modparam("tls", "tls_method", "SSLv23")

modparam("tls", "tls_log", 2)
modparam("tls", "handshake_timeout", 10)
modparam("tls", "send_timeout", 10)

Verification

No Format

modparam("tls", "require_certificate", 0)
modparam("tls", "verify_certificate", 1)

SSL vs TLS

No Format

modparam("tls", "tls_method", "TLSv1")
#modparam("tls", "tls_method", "SSLv23")

Sample config without registrion authentication and with tls routing to domainB (not necessary for enabling TLS for clients)

No Format
# ----------- global configuration parameters ------------------------

debug=3         # debug level (cmd line: -dddddddddd)
#memdbg=10 # memory debug message level
#memlog=10 # memory statistics log level
log_facility=LOG_LOCAL0 # sets the facility used for logging (see syslog(3))

/* Uncomment these lines to enter debugging mode 
fork=no
log_stderror=yes
*/

check_via=no    # (cmd. line: -v)
dns=no          # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
#port=5060
children=2
#user=ser
#group=ser
#disable_core=yes #disables core dumping
#open_fd_limit=1024 # sets the open file descriptors limit
#mhomed=yes  # usefull for multihomed hosts, small performance penalty
#disable_tcp=yes 
#tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)

enable_tls=yes

alias=domainA

listen=tcp:1.2.3.4:5060
listen=udp:1.2.3.4:5060
listen=tls:1.2.3.4:50


#5061

# ------------------ module loading ----------------------------------

loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/ctl.so"
loadmodule "/usr/local/lib/ser/modules/tls.so"
loadmodule "/usr/local/lib/ser/modules/xlog.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --
# use memory
modparam("usrloc", "db_mode",   0)

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# ctl params
# by default ctl listens on unixs:/tmp/ser_ctl if no other address is
# specified in modparams; this is also the default for sercmd
modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
# listen on the "standard" fifo for backward compatibility
modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
# listen on tcp, localhost
#modparam("ctl", "binrpc", "tcp:localhost:2046")


modparam("tls", "private_key", "/etc/certs/key.pem")
modparam("tls", "ca_list", "/etc/certs/ca_list.pem")
modparam("tls", "certificate", "/etc/certs/cert.pem")
modparam("tls", "tls_log", 2)
modparam("tls", "handshake_timeout", 10)
modparam("tls", "send_timeout", 10)

modparam("tls", "require_certificate", 0)
modparam("tls", "verify_certificate", 1)
modparam("tls", "tls_method", "TLSv1")
#modparam("tls", "tls_method", "SSLv23")


# -------------------------  request routing logic -------------------

# main routing logic

route{

	# initial sanity checks -- messages with
	# max_forwards==0, or excessively long requests
	if (!mf_process_maxfwd_header("10")) {
		sl_reply("483","Too Many Hops");
		break;
	}
	if (msg:len >=  max_len ) {
		sl_reply("1024", "Message too big");
		break;
	}
 

	if (proto==TLS) {
	    xlog("L_INFO","TLS Method: %rm RURI: %ru, TLSmy : %@tls.my.subject TLSpeer : %@tls.peer.subject %@tls.peer.issuer verified: %@tls.peer.verified  \n  "); 
	    
	}

	if (!method=="REGISTER") record_route();

	# subsequent messages withing a dialog should take the
	# path determined by record-routing
	if (loose_route()) {
		# mark routing logic in request
		append_hf("P-hint: rr-enforced\r\n");
		route(FORWARD);
		break;
	}

	if (!uri==myself) {
		# mark routing logic in request
		append_hf("P-hint: outbound\r\n");
       
                # route domainB over TLS
		if (uri=~".*@domainB") {

			if (t_relay_to_tls("sip.domainB","5061")) {
				xlog("L_INFO","TLS DomainB Method: %rm RURI: \n  "); 
			}
			else {sl_reply_error();}
    			break;
		}
		route(FORWARD);
		break;
	}

	# if the request is for other domain use UsrLoc
	# (in case, it does not work, use the following command
	# with proper names and addresses in it)
	if (uri==myself) {

		if (method=="REGISTER") {
			save_contacts("location");
			break;
		}

		# native SIP destinations are handled using our USRLOC DB
		if (!lookup_contacts("location")) {
			sl_reply("404", "Not Found");
			break;
		}
		append_hf("P-hint: usrloc applied\r\n");
		
	}
	route(FORWARD);
}

route[FORWARD]
{
	# send it out now; use stateful forwarding as it works reliably
	# even for UDP2TCP
	}
	if (!t_relay()) {
	    sl_reply_error();	
	}
}


OS specific help

Validation, confirmation tests

...