Goal
Routing of inter domain sessions over a TLS encrypted link between a SER and an OpenSER proxy
Applicability
Inter-domain SIP routing over TLS. We enable end-users of domain A to communicate with end-users in domain B over their home proxy to the proxy of domain B. All connections use TLS:
User Agent A -> proxy domainA -> proxy domainB -> User Agent B
Prerequisites
- TLS is enabled for the SER proxy: see 3.16. TLS for SER (UA-Proxy)
- TLS is enabled for the OpenSER proxy: see 3.17. TLS for OpenSER (UA-Proxy)
- A PKI certificate is available that contains the full DNS name of the SIP proxy in the CN field (in this example "sipserver.domainA.net") and a corresponding certificate chain. Using out-of-the-box certificates that come as an example with the default installation of (Open)SER cannot be trusted.
Configuration
OpenSER proxy configuration:
- add the certificate chain of the other proxy in PEM format to the CA list file in
/usr/local/etc/openser/user/user-calist.pem
You can open the file in a text editor and add the certificate string at the end of the file. - add routing logic in the openser.cfg file:
# check for requests targeted out of our domain if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); # destination DomainA if(uri=~"@domainA.net") { t_relay("tls:sipserver.domainA.net:5061"); xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n"); exit; } route(1); };
- restart openser:
# openserctl restart
SER proxy configuration:
xxx
OS specific help
Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.