Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Goal

Routing of inter domain sessions over a TLS encrypted link between a SER and an OpenSER proxy 

Applicability

Inter-domain SIP routing over TLS. We enable end-users of domain A to communicate with end-users in domain B over their home proxy to the proxy of domain B. All connections use TLS:

      User Agent A   ->   proxy domainA   ->   proxy domainB   ->   User Agent B

Prerequisites

  • TLS is enabled for the SER proxy: see 3.165.1. TLS for SER (UA-Proxy)
  • TLS is enabled for the OpenSER proxy: see 3.5.172. TLS for OpenSER (UA-Proxy)
  • A PKI certificate is available that contains the full DNS name of the SIP proxy in the CN field (in this example "sipserver.domainA.net") and a corresponding certificate chain. Using out-of-the-box certificates that come as an example with the default installation of (Open)SER cannot be trusted.

Configuration  

If both proxies have enabled TLS and clients let you add the sips: "prefix" you don't need to add special routing logic to cfg. Even if client itself does'n use TLS it can work (EyeBeam - TCP – > OB SER – TLS – >SER – ?? - > client)
Remember that TLS is done only on hop by hop basis.
To be sure or to define tls peers you need to do following:

Note
Encryption only, no mutual authentication
Encryption only, no mutual authentication

If encryption of the SIP messages is enough for you and no mutual verification of the servers is necessary, you can change:
tls_verify_server = 0

OpenSER proxy configuration:

  • add the certificate chain of the other proxy in PEM format to the CA list file in
    /usr/local/etc/openser/user/user-calist.pem
    You can open the file in a text editor and add the certificate string at the end of the file or do cat certfile >> calist
  • add routing logic in the openser.cfg file:
No Format
        # check for requests targeted out of our domain
               if (!uri==myself) {
                               # mark routing logic in request
                               append_hf("P-hint: outbound\r\n");
                               # destination DomainA
                               if(uri=~"@domainA.net") {
                                               t_relay("tls:sipserver.domainA.net:5061");
                                               xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru %ru  FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n");
                        exit;
                }
               ");
                        exit;
                }
                route(1);
               };
  • restart openser:
    # openserctl restart

SER proxy configuration:

  • add the certificate chain of the other proxy in PEM format to the CA list file according to your config
    You can open the file in a text editor and add the certificate string at the end of the file or do cat certfile >> calist .
  • add routing logic in the ser.cfg file:
No Format

         if (!uri==myself) {
		# mark routing logic in request
		append_hf("P-hint: outbound\r\n");

                # route domainB over TLS
		if (uri=~".*@domainB") {

			if (t_relay_to_tls("sip.domainB","5061")) {
				xlog("L_INFO","TLS DomainB Method: %rm RURI: \n  ");
			}
			else {sl_reply_error();}
    			break;
		}
		route(FORWARD);
		break;
	}
  • restart ser

SIP vs SIPS

If you want to test sips vs sip behaviour with defined tls peers try to set routing rule like this

No Format

                if (uri=~"^sip:.*@domianB"){
                        if (t_relay_to_tls("domainB","5061")) {
                        xlog("L_INFO","TLS Message to sipx1.ces.net\n ");
                        }
                        else {sl_reply_error();}
                        break;
                }

This will apply only to sip uri and sips will be routed by default t_relay (and DNS SRV _sips._tcp or DNS A with port 5061, ....)xxx

Validation, confirmation tests

  • register a UA at the proxy of domainA
  • register a UA at the proxy of domainB
  • make a call from UA 'A' to UA 'B' and see if it succeeds
  • check in the UA and proxy logging whether TLS was used (and there was no fallback to UDP)

OS specific help

Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.