How to configure TLS

Creating a certificate

Create a file named caconfig1.conf


[ req ]
default_bits            = 1024
prompt                  = no
distinguished_name      = req_dn

[ req_dn ]
commonName              = myCompany CA
organizationName	= myCompany

[ ext ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always


Create a file named caconfig2.conf

[ req ]
default_bits            = 1024
prompt                  = no
distinguished_name      = req_dn

[ req_dn ]
commonName              = myCompany CA
organizationName	= myCompany

[ ext ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=DNS:subdomain.mycompany.com


Create a new CA certficate with openssl:

openssl req -new -out carequest.pem -newkey rsa:1024 -keyout cakey.pem -config caconfig1.conf -nodes -sha1
openssl x509 -req -signkey cakey.pem -in carequest.pem -out cafile.pem -extfile caconfig1.conf -extensions ext -days 365 -sha1


Generate a new certificate:

openssl req -new -out tmp.req -newkey rsa:1024 -keyout tmp.key -config caconfig2.conf -nodes -sha1
openssl x509 -req -CAkey cakey.pem -CA cafile.pem -CAcreateserial -in tmp.req -out tmp.crt -extfile caconfig2.conf -extensions ext -days 365 -sha1


Generate agent.pem:

cat tmp.crt tmp.key > agent.pem

Uploading Certificate

On the beroNet VoIP Gateway the agent.pem and the cafile.pem can be uploaded under SIP->General.


TLS Verify Policy

Following TLS Behaviour can be configured, by setting the tls_verify_policy option (currently under experimental options):

NONE:         Do not verify Peer Certificates. (default setting)
IN:           Drop incoming connections which fail signature verification against trusted certificate authorities. Peers must provide a certificate during the initial TLS Handshake.
OUT:          Drop outgoing connections which fail signature verification against trusted certificate authorities.
ALL:          Alias for (IN|OUT)
SUBJECTS_IN:  Match the certificate subject on incoming connections against a provided list. If no match is found, the connection is rejected. If no list is provided, subject checking is bypassed. Note: Implies IN.
SUBJECTS_OUT: Match the certificate subject on outgoing connections against a provided list. If no match is found, the connection is rejected. Note: Implies OUT.
SUBJECTS_ALL: Alias for (SUBJECTS_IN|SUBJECTS_OUT)

These options can be combined using the |-operator.

e.g.:

tls_verify_policy=IN
tls_verify_policy=OUT
tls_verify_policy=IN|OUT (is the same as tls_verify_policy=ALL)


External Documentation

A good introduction to TLS and explanation of the agent.pem and cafile.pem can be found in the freeswitch wiki [1], which is using the same SIP framework (SOFIASIP) as the beroNet VoIP gateway.


If you need scheduled remote assistance, you can request our on-demand support services: https://www.beronet.com/support