From d6e19bdc91b0c4c6b5a069e11898741ec082b289 Mon Sep 17 00:00:00 2001 From: russell Date: Fri, 18 Jan 2008 22:04:33 +0000 Subject: Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: http://svn.digium.com/svn/asterisk/trunk@99085 f38db490-d61c-443f-a65b-d21fe96a405b --- doc/siptls.txt | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 doc/siptls.txt (limited to 'doc/siptls.txt') diff --git a/doc/siptls.txt b/doc/siptls.txt new file mode 100644 index 000000000..3a54bf095 --- /dev/null +++ b/doc/siptls.txt @@ -0,0 +1,94 @@ +Asterisk SIP/TLS Transport +========================== + +When using TLS the client will typically check the validity of the +certificate chain. So that means you either need a certificate that is +signed by one of the larger CAs, or if you use a self signed certificate +you must install a copy of your CA on the client. + +So far this code has been test with: +Asterisk as client and server (TLS and TCP) +Polycom Soundpoint IP Phones (TLS and TCP) + Polycom phones require that the host (ip or hostname) that is + configured match the 'common name' in the certificate +Minisip Softphone (TLS and TCP) +Cisco IOS Gateways (TCP only) +SNOM 360 (TLS only) +Zoiper Biz Softphone (TLS and TCP) + + +sip.conf options +---------------- +tlsenable=[yes|no] + Enable TLS server, default is no + +tlsbindaddr= + Specify IP address to bind TLS server to, default is 0.0.0.0 + +tlscertfile= + The server's certificate file. Should include the key and + certificate. This is mandatory if your going to run a TLS server. + +tlscafile= + If the server your connecting to uses a self signed certificate + you should have their certificate installed here so the code can + verify the authenticity of their certificate. + +tlscadir= + A directory full of CA certificates. The files must be named with + the CA subject name hash value. + (see man SSL_CTX_load_verify_locations for more info) + +tlsdontverifyserver=[yes|no] + If set to yes, don't verify the servers certificate when acting as + a client. If you don't have the server's CA certificate you can + set this and it will connect without requiring tlscafile to be set. + Default is no. + +tlscipher= + A string specifying which SSL ciphers to use or not use + + +Sample config +------------- + +Here are the relevant bits of config for setting up TLS between 2 +asterisk servers. With server_a registering to server_b + +On server_a: +[general] +tlsenable=yes +tlscertfgile=/etc/asterisk/asterisk.pem +tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both certificates +register => tls://100:test@192.168.0.100:5061 + +[101] +type=friend +context=internal +host=192.168.0.100 ; The host should be either IP or hostname and should + ; match the 'common name' field in the servers certificate +secret=test +dtmfmode=rfc2833 +disallow=all +allow=ulaw +transport=tls +port=5061 + +On server_b: +[general] +tlsenable=yes +tlscertfgile=/etc/asterisk/asterisk.pem + +[100] +type=friend +context=internal +host=dynamic +secret=test +dtmfmode=rfc2833 +disallow=all +allow=ulaw +;You can specify transport= and port=5061 for TLS, but its not necessary in +;the server configuration, any type of SIP transport will work +;transport=tls +;port=5061 + -- cgit v1.2.3