SIP TLS

From FreeSWITCH Wiki

Contents 1 Configuration 1.1 Sofia Profile Configuration 1.2 Generate Certificates 1.3 Polycom TLS Setup 1.4 Linksys TLS Setup 1.5 Snom Setup 1.6 EyeBeam/Bria Setup

Configuration

FreeSWITCH supports the encryption of SIP signaling traffic via TLS. Typically, this SIPS runs on port 5061. You may need to install your CA certificate on your phone in order for this to work (note: Polycoms require installation of untrusted CA certs!)

Note: This will only encrypt signaling (SIP). Media (RTP) will remain unencrypted unless you use SRTP!

Sofia Profile Configuration

[code]

   <param name="tls" value="true"/>
   <param name="tls-bind-params" value="transport=tls"/>
   <param name="tls-sip-port" value="5061"/>
   <param name="tls-cert-dir" value="$${base_dir}/conf/ssl"/>
   <param name="tls-version" value="tlsv1"/>

[/code]

Generate Certificates

To use TLS you need at least two certificates: the root certificate (CA) and a certificate for every server. There is a script at /{prefix}/freeswitch/bin/gentls_cert or within the source tarball {tarball}/scripts/gentls_cert that helps generate these files. With

   ./gentls_cert setup

you can create a new root certificate that will be stored at /{prefix}/freeswitch/conf/ssl/cafile.pem. It will be used to digitally sign all server certificates and must normally be installed also on every phone.

The command:

   ./gentls_cert create -cn freeswitch.org -alt DNS:freeswitch.org

creates the server certificate at /{prefix}/freeswitch/conf/ssl/agent.pem. This file contains the certificate and the private key. It should contain the domain name in the common and alternate name.

To set up new CA and create new certificate under Windows go here.

Polycom TLS Setup

TLS added in SIP 2.X Software. Tested w/ SoundPointIP 501, known to work w/ other models. Not supported on 300/500. You must also add == untrusted == CA certs to the phone in the Menu->Advanced Settings->Admin Settings->SSL Security->Install CA Certificate.

<reg> reg.x.server.y.transport="TLS" reg.x.server.y.port="5061" />

Linksys TLS Setup

Works with SPA942 and SPA962, and with 5.2.8 firmware. Linksys doesn't do TLS but SSL, so the config option in profile should be <param name="tls-version" value="sslv23"/>. No trusted certificate is required.

Snom Setup

(Tested with Snom 320)

• Update Snom 320 to Firmware-Version: snom320-SIP 7.1.33 14322 (7.1.33 has some important bug fixes). Instructions are here: http://wiki.snom.com/Snom320/Firmware
• On Web page of the snome phone (IP is shown on the display when you power up) In Identity X/Login/ Outbound Proxy: add ;transport=tls after the proxy. e.g.: 192.168.0.1;transport=tls (do not add port 5061)
• On Web page of the snome phone In Identity X/RTP/RTP Encryption: Set to on
• On Web page of the snome phone In Identity X/RTP/ RTP/SAVP: Set to Optional

You're done.

EyeBeam/Bria Setup

(Tested on Windows with EyeBeam 1.5.19 build 47739 and Bria 2.3 build 47296)

• On the account properties go to the Security tab. Choose TLS as signaling transport.
• Get a copy of the cafile.pam file and rename it to cafile.crt. Install the certificate in the trusted root certificate store (double click in the file explorer).