Versions Compared

Old Version 15

changes.mady.by.user Unknown User (dimitris)

Saved on

compared with

New Version 16

changes.mady.by.user Unknown User (jan)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • TLS is enabled for the SER proxy: see 3.5.1. TLS for SER (UA-Proxy)
  • TLS is enabled for the OpenSER proxy: see 3.5.2. TLS for OpenSER (UA-Proxy)
  • A PKI certificate is available that contains the full DNS name of the SIP proxy in the CN field (in this example "sipserver.domainA.net") and a corresponding certificate chain. Using out-of-the-box certificates that come as an example with the default installation of (Open)SER cannot be trusted.

Configuration  

If both proxies have enabled TLS and clients let you add the sips: "prefix" you don't need to add special routing logic to cfg. Even if client itself does'n use TLS it can work (EyeBeam TCP> OB SER --TLS>SER??> )
Remember that TLS is done only on hop by hop basis.
To be sure or to define tls peers you need to do following:

OpenSER proxy configuration:

  • add the certificate chain of the other proxy in PEM format to the CA list file in
    /usr/local/etc/openser/user/user-calist.pem
    You can open the file in a text editor and add the certificate string at the end of the file or do cat certfile >> calist
  • add routing logic in the openser.cfg file:

...

  • restart openser:
    # openserctl restart

SER proxy configuration:

  • add the certificate chain of the other proxy in PEM format to the CA list file according to your config
    You can open the file in a text editor and add the certificate string at the end of the file or do cat certfile >> calist .
  • add routing logic in the ser.cfg file:
No Format

         if (!uri==myself) {
		# mark routing logic in request
		append_hf("P-hint: outbound\r\n");

                # route domainB over TLS
		if (uri=~".*@domainB") {

			if (t_relay_to_tls("sip.domainB","5061")) {
				xlog("L_INFO","TLS DomainB Method: %rm RURI: \n  ");
			}
			else {sl_reply_error();}
    			break;
		}
		route(FORWARD);
		break;
	}
  • restart ser

SIP vs SIPS

If you want to test sips vs sip behaviour with defined tls peers try to set routing rule like this

No Format

                if (uri=~"^sip:

...

.*@sipx1.ces.net"){
                        if (t_relay_to_tls("sipx1.ces.net","5061")) {
                        xlog("L_INFO","TLS Message to sipx1.ces.net\n ");
                        }
                        else {sl_reply_error();}
                        break;
                }

This wiil apply only to sip uri and sips will be routed by internal rules (DNS SRV _sips._tcp or DNS A with port 5061, ....)xxx

Validation, confirmation tests

...