aboutsummaryrefslogtreecommitdiffstats
path: root/trunk/doc/siptls.txt
diff options
context:
space:
mode:
Diffstat (limited to 'trunk/doc/siptls.txt')
-rw-r--r--trunk/doc/siptls.txt94
1 files changed, 94 insertions, 0 deletions
diff --git a/trunk/doc/siptls.txt b/trunk/doc/siptls.txt
new file mode 100644
index 000000000..3a54bf095
--- /dev/null
+++ b/trunk/doc/siptls.txt
@@ -0,0 +1,94 @@
+Asterisk SIP/TLS Transport
+==========================
+
+When using TLS the client will typically check the validity of the
+certificate chain. So that means you either need a certificate that is
+signed by one of the larger CAs, or if you use a self signed certificate
+you must install a copy of your CA on the client.
+
+So far this code has been test with:
+Asterisk as client and server (TLS and TCP)
+Polycom Soundpoint IP Phones (TLS and TCP)
+ Polycom phones require that the host (ip or hostname) that is
+ configured match the 'common name' in the certificate
+Minisip Softphone (TLS and TCP)
+Cisco IOS Gateways (TCP only)
+SNOM 360 (TLS only)
+Zoiper Biz Softphone (TLS and TCP)
+
+
+sip.conf options
+----------------
+tlsenable=[yes|no]
+ Enable TLS server, default is no
+
+tlsbindaddr=<ip address>
+ Specify IP address to bind TLS server to, default is 0.0.0.0
+
+tlscertfile=</path/to/certificate>
+ The server's certificate file. Should include the key and
+ certificate. This is mandatory if your going to run a TLS server.
+
+tlscafile=</path/to/certificate>
+ If the server your connecting to uses a self signed certificate
+ you should have their certificate installed here so the code can
+ verify the authenticity of their certificate.
+
+tlscadir=</path/to/ca/dir>
+ A directory full of CA certificates. The files must be named with
+ the CA subject name hash value.
+ (see man SSL_CTX_load_verify_locations for more info)
+
+tlsdontverifyserver=[yes|no]
+ If set to yes, don't verify the servers certificate when acting as
+ a client. If you don't have the server's CA certificate you can
+ set this and it will connect without requiring tlscafile to be set.
+ Default is no.
+
+tlscipher=<SSL cipher string>
+ A string specifying which SSL ciphers to use or not use
+
+
+Sample config
+-------------
+
+Here are the relevant bits of config for setting up TLS between 2
+asterisk servers. With server_a registering to server_b
+
+On server_a:
+[general]
+tlsenable=yes
+tlscertfgile=/etc/asterisk/asterisk.pem
+tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both certificates
+register => tls://100:test@192.168.0.100:5061
+
+[101]
+type=friend
+context=internal
+host=192.168.0.100 ; The host should be either IP or hostname and should
+ ; match the 'common name' field in the servers certificate
+secret=test
+dtmfmode=rfc2833
+disallow=all
+allow=ulaw
+transport=tls
+port=5061
+
+On server_b:
+[general]
+tlsenable=yes
+tlscertfgile=/etc/asterisk/asterisk.pem
+
+[100]
+type=friend
+context=internal
+host=dynamic
+secret=test
+dtmfmode=rfc2833
+disallow=all
+allow=ulaw
+;You can specify transport= and port=5061 for TLS, but its not necessary in
+;the server configuration, any type of SIP transport will work
+;transport=tls
+;port=5061
+