How to configure TLS
Creating a certificate
Create a file named caconfig1.conf
[ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = myCompany CA organizationName = myCompany [ ext ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always
Create a file named caconfig2.conf
[ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = myCompany CA organizationName = myCompany [ ext ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName=DNS:subdomain.mycompany.com
Create a new CA certficate with openssl:
openssl req -new -out carequest.pem -newkey rsa:1024 -keyout cakey.pem -config caconfig1.conf -nodes -sha1 openssl x509 -req -signkey cakey.pem -in carequest.pem -out cafile.pem -extfile caconfig1.conf -extensions ext -days 365 -sha1
Generate a new certificate:
openssl req -new -out tmp.req -newkey rsa:1024 -keyout tmp.key -config caconfig2.conf -nodes -sha1 openssl x509 -req -CAkey cakey.pem -CA cafile.pem -CAcreateserial -in tmp.req -out tmp.crt -extfile caconfig2.conf -extensions ext -days 365 -sha1
Generate agent.pem:
cat tmp.crt tmp.key > agent.pem
Uploading Certificate
On the beroNet VoIP Gateway the agent.pem and the cafile.pem can be uploaded under SIP->General.
TLS Verify Policy
Following TLS Behaviour can be configured, by setting the tls_verify_policy option (currently under experimental options):
NONE: Do not verify Peer Certificates. (default setting) IN: Drop incoming connections which fail signature verification against trusted certificate authorities. Peers must provide a certificate during the initial TLS Handshake. OUT: Drop outgoing connections which fail signature verification against trusted certificate authorities. ALL: Alias for (IN|OUT) SUBJECTS_IN: Match the certificate subject on incoming connections against a provided list. If no match is found, the connection is rejected. If no list is provided, subject checking is bypassed. Note: Implies IN. SUBJECTS_OUT: Match the certificate subject on outgoing connections against a provided list. If no match is found, the connection is rejected. Note: Implies OUT. SUBJECTS_ALL: Alias for (SUBJECTS_IN|SUBJECTS_OUT)
These options can be combined using the |-operator.
e.g.:
tls_verify_policy=IN tls_verify_policy=OUT tls_verify_policy=IN|OUT (is the same as tls_verify_policy=ALL)
External Documentation
A good introduction to TLS and explanation of the agent.pem and cafile.pem can be found in the freeswitch wiki [1], which is using the same SIP framework (SOFIASIP) as the beroNet VoIP gateway.
If you need scheduled remote assistance, you can request our on-demand support services: https://www.beronet.com/support