Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Goal

Routing of inter domain sessions over a TLS encrypted link between a SER and an OpenSER proxy 

Applicability

Inter-domain SIP routing over TLS. We enable end-users of domain A to communicate with end-users in domain B over their home proxy to the proxy of domain B. All connections use TLS:

      User Agent A   ->   proxy domainA   ->   proxy domainB   ->   User Agent B

Prerequisites

  • TLS is enabled for the SER proxy: see 3.5.1. TLS for SER (UA-Proxy)
  • TLS is enabled for the OpenSER proxy: see 3.5.2. TLS for OpenSER (UA-Proxy)
  • A PKI certificate is available that contains the full DNS name of the SIP proxy in the CN field (in this example "sipserver.domainA.net") and a corresponding certificate chain. Using out-of-the-box certificates that come as an example with the default installation of (Open)SER cannot be trusted.

Configuration  

OpenSER proxy configuration:

  • add the certificate chain of the other proxy in PEM format to the CA list file in
    /usr/local/etc/openser/user/user-calist.pem
    You can open the file in a text editor and add the certificate string at the end of the file. 
  • add routing logic in the openser.cfg file:
No Format
        # check for requests targeted out of our domain
               if (!uri==myself) {
                               # mark routing logic in request
                               append_hf("P-hint: outbound\r\n");
                               # destination DomainA
                               if(uri=~"@domainA.net") {
                                               t_relay("tls:sipserver.domainA.net:5061");
                                               xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru %ru  FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n");
                                               exit;
                               }
                               route(1);
               };
  • restart openser:
    # openserctl restart

SER proxy configuration:

xxx

Validation, confirmation tests

  • register a UA at the proxy of domainA
  • register a UA at the proxy of domainB
  • make a call from UA 'A' to UA 'B' and see if it succeeds
  • check in the UA and proxy logging whether TLS was used (and there was no fallback to UDP)

OS specific help

Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.