/
How to configure TLS

How to configure TLS

Sept 18, 2019

Creating a certificate

Create a file named caconfig1.conf

 

[ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = myCompany CA organizationName = myCompany [ ext ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always

 

Create a file named caconfig2.conf

[ req ] default_bits = 1024 prompt = no distinguished_name = req_dn [ req_dn ] commonName = myCompany CA organizationName = myCompany [ ext ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName=DNS:subdomain.mycompany.com

 

Create a new CA certficate with openssl:

openssl req -new -out carequest.pem -newkey rsa:1024 -keyout cakey.pem -config caconfig1.conf -nodes -sha1 openssl x509 -req -signkey cakey.pem -in carequest.pem -out cafile.pem -extfile caconfig1.conf -extensions ext -days 365 -sha1

 

Generate a new certificate:

openssl req -new -out tmp.req -newkey rsa:1024 -keyout tmp.key -config caconfig2.conf -nodes -sha1 openssl x509 -req -CAkey cakey.pem -CA cafile.pem -CAcreateserial -in tmp.req -out tmp.crt -extfile caconfig2.conf -extensions ext -days 365 -sha1

 

Generate agent.pem:

cat tmp.crt tmp.key > agent.pem

Uploading Certificate

On the beroNet VoIP Gateway the agent.pem and the cafile.pem can be uploaded under SIP->General.

 

TLS Verify Policy

Following TLS Behaviour can be configured, by setting the tls_verify_policy option (currently under experimental options):

NONE: Do not verify Peer Certificates. (default setting) IN: Drop incoming connections which fail signature verification against trusted certificate authorities. Peers must provide a certificate during the initial TLS Handshake. OUT: Drop outgoing connections which fail signature verification against trusted certificate authorities. ALL: Alias for (IN|OUT) SUBJECTS_IN: Match the certificate subject on incoming connections against a provided list. If no match is found, the connection is rejected. If no list is provided, subject checking is bypassed. Note: Implies IN. SUBJECTS_OUT: Match the certificate subject on outgoing connections against a provided list. If no match is found, the connection is rejected. Note: Implies OUT. SUBJECTS_ALL: Alias for (SUBJECTS_IN|SUBJECTS_OUT)

These options can be combined using the |-operator.

e.g.:

tls_verify_policy=IN tls_verify_policy=OUT tls_verify_policy=IN|OUT (is the same as tls_verify_policy=ALL)

 

External Documentation

A good introduction to TLS and explanation of the agent.pem and cafile.pem can be found in the freeswitch wiki [1], which is using the same SIP framework (SOFIASIP) as the beroNet VoIP gateway.