Goal (short description)
Communication between the User Agent and the home proxy is encrypted using TLS.
Applicability
We enable end-users of domain A to communicate with their home proxy based on TLS:
User Agent A -> proxy domainA
Prerequisites (OS, dependencies on other software)
- Debian 4r0
- OpenSER version 1.2 with tls
Configuration
- If TLS support is not included in your installation, get OpenSER 1.2 with TLS. This example uses the source code at http://www.openser.org/pub/openser/latest/src/openser-1.2.0-tls_src.tar.gz
- Carefully observe the installation notes: http://www.openser.org/mos/view/-OpenSER-Installation-Notes/
- Special care should be taken to install the packages:
- mysql-server
- libmysqlclient-dev
- libssl0.9.8-dev
- Make sure you build openser including TLS. There are several options, like changing the line in the makefile to the following:
TLS=1
and that you include mysql support:
make all include_modules="mysql"
make install - note that the compiled version puts openser in different directory compared to the openser package. The config file is in
/usr/local/etc/openser/openser.cfg
and the modules are in
/usr/local/lib/openser/modules
and the certificate information is in
/usr/local/etc/openser/tls/user - run mysqldb.sh to create the database
- add the certificate chain of the other proxy in PEM format to the CA list file in /usr/local/etc/openser/user/user-calist.pem. You can open the file in a text editor and add the certificate string at the end of the file.
- add routing logic in the openser.cfg file:
Test
Make sure that the certificate chain (CA list) is installed on the UA. For instance, when using Eyebeam 1.5 under MS Windows, import the chain (in PEM format with file extension .cer) into the windows certificate store by double clicking.
Configure a UA to use TLS. Under MS Windows, good examples are Eyebeam 1.5 or Phoner. Make sure to choose 'TLS' as the protocol in the settings and register with the proxy. Use the diagnostic tools of the UA to see if any problems occur. Common problems are:
- Invalid TLS version: though TLS 1.0 should be used according to the SIP RFC, TLS 2/3 is supported by both proxies and UAs
- Client certificate verification should be disabled
- CA certificate cannot be verified
- Common name of the server certificate does not match DNS name of the server
OS specific help
Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.