/
How to configure TLS
How to configure TLS
- Friedrich Möller
Owned by Friedrich Möller
Sept 18, 2019
Analytics
Loading data...
Creating a certificate
Create a file named caconfig1.conf
[ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = myCompany CA organizationName = myCompany [ ext ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always
Create a file named caconfig2.conf
[ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = myCompany CA organizationName = myCompany [ ext ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName=DNS:subdomain.mycompany.com
Create a new CA certficate with openssl:
openssl req -new -out carequest.pem -newkey rsa:1024 -keyout cakey.pem -config caconfig1.conf -nodes -sha1 openssl x509 -req -signkey cakey.pem -in carequest.pem -out cafile.pem -extfile caconfig1.conf -extensions ext -days 365 -sha1
Generate a new certificate:
openssl req -new -out tmp.req -newkey rsa:1024 -keyout tmp.key -config caconfig2.conf -nodes -sha1 openssl x509 -req -CAkey cakey.pem -CA cafile.pem -CAcreateserial -in tmp.req -out tmp.crt -extfile caconfig2.conf -extensions ext -days 365 -sha1
Generate agent.pem:
cat tmp.crt tmp.key > agent.pem
Uploading Certificate
On the beroNet VoIP Gateway the agent.pem and the cafile.pem can be uploaded under SIP->General.
TLS Verify Policy
Following TLS Behaviour can be configured, by setting the tls_verify_policy option (currently under experimental options):
NONE: Do not verify Peer Certificates. (default setting) IN: Drop incoming connections which fail signature verification against trusted certificate authorities. Peers must provide a certificate during the initial TLS Handshake. OUT: Drop outgoing connections which fail signature verification against trusted certificate authorities. ALL: Alias for (IN|OUT) SUBJECTS_IN: Match the certificate subject on incoming connections against a provided list. If no match is found, the connection is rejected. If no list is provided, subject checking is bypassed. Note: Implies IN. SUBJECTS_OUT: Match the certificate subject on outgoing connections against a provided list. If no match is found, the connection is rejected. Note: Implies OUT. SUBJECTS_ALL: Alias for (SUBJECTS_IN|SUBJECTS_OUT)
These options can be combined using the |-operator.
e.g.:
tls_verify_policy=IN tls_verify_policy=OUT tls_verify_policy=IN|OUT (is the same as tls_verify_policy=ALL)
External Documentation
A good introduction to TLS and explanation of the agent.pem and cafile.pem can be found in the freeswitch wiki [1], which is using the same SIP framework (SOFIASIP) as the beroNet VoIP gateway.
Related content
How to Use HTTPS With Self-Signed Certificate (openssl)
How to Use HTTPS With Self-Signed Certificate (openssl)
More like this
Konfiguration eines beroNet VoIP Gateways mit Unify Openscape Business S
Konfiguration eines beroNet VoIP Gateways mit Unify Openscape Business S
More like this
Provisioning over NOTIFY SIP message
Provisioning over NOTIFY SIP message
More like this
Setting Custom SIP Headers
Setting Custom SIP Headers
More like this
NFON SIP Trunk Flexx (firmware 24.01)
NFON SIP Trunk Flexx (firmware 24.01)
More like this
General Provider Guide (english)
General Provider Guide (english)
More like this
If you need scheduled remote assistance, you can request our on-demand support services: https://www.beronet.com/support