Goal
Routing of inter domain sessions over a TLS encrypted link between a SER and an OpenSER proxy
Applicability
Inter-domain SIP routing over TLS. We enable end-users of domain A to communicate with end-users in domain B over their home proxy to the proxy of domain B. All connections use TLS:
User Agent A -> proxy domainA -> proxy domainB -> User Agent B
Prerequisites
- TLS is enabled for the SER proxy: see 3.5.1. TLS for SER (UA-Proxy)
- TLS is enabled for the OpenSER proxy: see 3.5.2. TLS for OpenSER (UA-Proxy)
- A PKI certificate is available that contains the full DNS name of the SIP proxy in the CN field (in this example "sipserver.domainA.net") and a corresponding certificate chain. Using out-of-the-box certificates that come as an example with the default installation of (Open)SER cannot be trusted.
Configuration
If both proxies have enabled TLS and clients let you add the sips: "prefix" you don't need to add special routing logic to cfg. Even if client itself does'n use TLS it can work (EyeBeam - TCP – > OB SER – TLS – >SER – ?? - > client)
Remember that TLS is done only on hop by hop basis.
To be sure or to define tls peers you need to do following:
| Note | ||||
|---|---|---|---|---|
| ||||
If encryption of the SIP messages is enough for you and no mutual verification of the servers is necessary, you can change: |
OpenSER proxy configuration:
- add the certificate chain of the other proxy in PEM format to the CA list file in
/usr/local/etc/openser/user/user-calist.pem
You can open the file in a text editor and add the certificate string at the end of the file or do cat certfile >> calist - add routing logic in the openser.cfg file:
| No Format |
|---|
|
| Wiki Markup |
h1. Goal (short description) Routing of inter domain sessions over a TLS encrypted link between a SER and an OpenSER proxy h1. Applicability Inter-domain SIP routing over TLS h1. Prerequisites (OS, dependencies on other software) Both proxies should have TLS enabled between itself and connected UAs. SER proxy: see OpenSER proxy: see h1. OS specific help bq. # check for requests targeted out of our domain bq. if (!uri==myself) { bq. # mark routing logic in request bq. append_hf("P-hint: outbound\r\n"); bq. # if you have# some interdomain connections via TLS bq.destination DomainA if(uri=~"@sipx1@domainA.ces.net") { bq. t_relay("tls:sipx1sipserver.cesdomainA.net:5061"); bq. xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n"); bq."); exit; } exit route(1); bq. }; |
- restart openser:
# openserctl restart
SER proxy configuration:
- add the certificate chain of the other proxy in PEM format to the CA list file according to your config
You can open the file in a text editor and add the certificate string at the end of the file or do cat certfile >> calist . - add routing logic in the ser.cfg file:
| No Format |
|---|
} elseif if(!uri=~"@sipx.ten.cz"=myself) { t_relay("tls:sipx.ten.cz:5061 # mark routing logic in request append_hf("P-hint: outbound\r\n"); bq. # route domainB over TLS if (uri=~".*@domainB") { if (t_relay_to_tls("sip.domainB","5061")) { xlog("L_INFO","TLS DomainB Method: %rm RURI: \n "); } else {sl_reply_error();} break; } route(FORWARD); break; } |
- restart ser
SIP vs SIPS
If you want to test sips vs sip behaviour with defined tls peers try to set routing rule like this
| No Format |
|---|
"Time [%Tf] Route to ten.cz :%rm bq. if (uri=~"^sip:.*@domianB"){ RURI:%ru FROM:%fu TO:%tu \n buffer %mb \n flags \n if (t_relay_to_tls("domainB","5061")) { xlog("L_INFO","TLS Message %mfto sipx1.ces.net\n "); exit; bq. } bq. route(1else {sl_reply_error(); bq.} }break; \\ } |
This will apply only to sip uri and sips will be routed by default t_relay (and DNS SRV _sips._tcp or DNS A with port 5061, ....)
Validation, confirmation tests
- register a UA at the proxy of domainA
- register a UA at the proxy of domainB
- make a call from UA 'A' to UA 'B' and see if it succeeds
- check in the UA and proxy logging whether TLS was used (and there was no fallback to UDP)
OS specific help
Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.