diff options
author | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-01-18 22:04:33 +0000 |
---|---|---|
committer | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-01-18 22:04:33 +0000 |
commit | d6e19bdc91b0c4c6b5a069e11898741ec082b289 (patch) | |
tree | d0cb360114e418a612eb2025d270801a1388cd7f /doc/siptls.txt | |
parent | cc1fcc753900c912d856f3f0498a4f7bfd8344a6 (diff) |
Merge changes from team/group/sip-tcptls
This set of changes introduces TCP and TLS support for chan_sip. There are various
new options in configs/sip.conf.sample that are used to enable these features. Also,
there is a document, doc/siptls.txt that describes some things in more detail.
This code was implemented by Brett Bryant and James Golovich. It was reviewed
by Joshua Colp and myself. A number of other people participated in the testing
of this code, but since it was done outside of the bug tracker, I do not have their
names. If you were one of them, thanks a lot for the help!
(closes issue #4903, but with completely different code that what exists there.)
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@99085 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'doc/siptls.txt')
-rw-r--r-- | doc/siptls.txt | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/doc/siptls.txt b/doc/siptls.txt new file mode 100644 index 000000000..3a54bf095 --- /dev/null +++ b/doc/siptls.txt @@ -0,0 +1,94 @@ +Asterisk SIP/TLS Transport +========================== + +When using TLS the client will typically check the validity of the +certificate chain. So that means you either need a certificate that is +signed by one of the larger CAs, or if you use a self signed certificate +you must install a copy of your CA on the client. + +So far this code has been test with: +Asterisk as client and server (TLS and TCP) +Polycom Soundpoint IP Phones (TLS and TCP) + Polycom phones require that the host (ip or hostname) that is + configured match the 'common name' in the certificate +Minisip Softphone (TLS and TCP) +Cisco IOS Gateways (TCP only) +SNOM 360 (TLS only) +Zoiper Biz Softphone (TLS and TCP) + + +sip.conf options +---------------- +tlsenable=[yes|no] + Enable TLS server, default is no + +tlsbindaddr=<ip address> + Specify IP address to bind TLS server to, default is 0.0.0.0 + +tlscertfile=</path/to/certificate> + The server's certificate file. Should include the key and + certificate. This is mandatory if your going to run a TLS server. + +tlscafile=</path/to/certificate> + If the server your connecting to uses a self signed certificate + you should have their certificate installed here so the code can + verify the authenticity of their certificate. + +tlscadir=</path/to/ca/dir> + A directory full of CA certificates. The files must be named with + the CA subject name hash value. + (see man SSL_CTX_load_verify_locations for more info) + +tlsdontverifyserver=[yes|no] + If set to yes, don't verify the servers certificate when acting as + a client. If you don't have the server's CA certificate you can + set this and it will connect without requiring tlscafile to be set. + Default is no. + +tlscipher=<SSL cipher string> + A string specifying which SSL ciphers to use or not use + + +Sample config +------------- + +Here are the relevant bits of config for setting up TLS between 2 +asterisk servers. With server_a registering to server_b + +On server_a: +[general] +tlsenable=yes +tlscertfgile=/etc/asterisk/asterisk.pem +tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both certificates +register => tls://100:test@192.168.0.100:5061 + +[101] +type=friend +context=internal +host=192.168.0.100 ; The host should be either IP or hostname and should + ; match the 'common name' field in the servers certificate +secret=test +dtmfmode=rfc2833 +disallow=all +allow=ulaw +transport=tls +port=5061 + +On server_b: +[general] +tlsenable=yes +tlscertfgile=/etc/asterisk/asterisk.pem + +[100] +type=friend +context=internal +host=dynamic +secret=test +dtmfmode=rfc2833 +disallow=all +allow=ulaw +;You can specify transport= and port=5061 for TLS, but its not necessary in +;the server configuration, any type of SIP transport will work +;transport=tls +;port=5061 + |