소프트스위치

오늘:
1,073
어제:
2,481
전체:
2,776,499

고객센타 : 070-7752-2000
팩스 : 070-7752-2001
휴대폰 : 010-9513-0019
email : voipkorea@yahoo.co.kr

국민은행
(주)제이에스솔루션
047101-04-155519

Flag Counter
■ 무료 : 유선 집전화 휴대폰 ( 한국 미국 중국 카나다) ↔ (국내 해외 여행자 상사 주재원 유학생) / 가입무 무제한무료■


http://kb.smartvox.co.uk/opensips/using-tls-in-opensips-v2-2-x/#comment-1027


Using TLS in OpenSIPS v2.2.x

Using TLS with OpenSIPS: Why do we need it and how is it configured? While support for TLS existed in version 1, the configuration changed significantly in version 2. This article briefly covers the new v2 setup.

The role of TLS in VoIP calls

Sadly, we are all learning fast that unencrypted communication over the Internet is risky. You will no doubt be familiar with the use of https which provides secure, encrypted web browser sessions for things like online banking and e-shopping. The underlying mechanism for this is TLS (Transport Layer Security). The same mechanism is also available for SIP thereby allowing VoIP calls to be set up over a secure communication channel.

There are obvious commercial reasons for an ITSP to be able to offer this as a premium service or just as an inducement for customers to choose them rather than a rival who cannot offer it. In addition, TLS is likely to work better for mobile SIP clients because it is based on TCP rather than UDP so it is useful to have it as an option to allow support of the widest possible range of User Agent devices. Furthermore, it may be obligatory to use TLS for some applications such as where credit card numbers are being entered over the phone.

It is important to appreciate that SIP over TLS only provides encryption of the call’s setup messages and does not provide encryption of the media streams. If you require the media to be encrypted, then it is necessary to use SRTP rather than RTP. Usually, where media encryption is required, it also necessary to use TLS for the SIP messages to ensure that important meta-data cannot be intercepted during call setup. Configuration for SRTP is likely to be required on the end-points (FreeSwitch, Asterisk, etc) behind your OpenSIPS proxy and so is not discussed here.

Configuring OpenSIPS v2.2.x to support TLS communication

If you installed OpenSIPS using a source tarball, it is possible some of the required modules will not have been built. This is because they are treated as “not required” by default. You can check if they are present by looking in the <lib>/opensips/modules directory and looking for files proto_tls.so and tls_mgm.so, where <lib> is likely to be one of /lib or /lib64 or /usr/lib or /usr/lib64. If those files are not present alongside all the other “.so” files, then it will be necessary to rebuild from source, but first go into the make menuconfig forms and select ‘Configure Compile Options’ then ‘Configure Excluded Modules’ then select the two previously excluded modules; save; rebuild.

Looking at the opensips.cfg file, using version 2.2.3, you will need to include a listen statement a bit like this:

listen=tls:10.34.56.78:5061

OpenSIPS can listen on multiple ports and multiple interfaces using various protocols. So it is perfectly acceptable to have more than one listen statement and to have, for example, port 5060 listening for UDP connections alongside port 5061 listening for TLS.

Load the following modules, in addition to the usual ones:

loadmodule "tls_mgm.so"
loadmodule "proto_tls.so"

…and configure various parameters in the tls_mgm module using modparam statements, including:

modparam("tls_mgm", "tls_method", "SSLv23")        # This option seems to work nicely in most cases
modparam("tls_mgm", "certificate", "/etc/opensips/tls/mycerts/mycertfile.pem")  # Path to your server certificate file
modparam("tls_mgm", "private_key", "/etc/opensips/tls/mycerts/mykeyfile.pem")   # The path to your key certificate file

I was using self-signed certificates (.pem files), having previously set up my own Certificate Authority. If you are trying something similar, make sure you override SHA-1 encryption which openssl is likely to set as the default (it is no longer considered secure) and at least use SHA256. I did this by editing my openssl.cnf file and changing this line to

default_md = sha256
(previously it said default_md=md5)

You can, I believe, also set the desired encryption as a command line argument when you run openssl from the command line.

For my test rig, I added a modparam statement to define the “ca_list” parameter. This defines the path to a file containing the CA’s certificate or a certificate chain – again this was a .pem file. You may need this for commercially issued certs too.

My settings for certificate verification requirements were fairly easy-going, as follows:

modparam("tls_mgm", "verify_cert", "1")
modparam("tls_mgm", "require_cert", "0")

…and because I was using self-signed certificates it was also necessary to disable the stricter certificate checks on the client device too.

There is nothing special you do in the route blocks, but if you are setting up OpenSIPS as a Registrar server, a useful tip is to set the global parameter “tcp_connection_lifetime” to a value that is just larger than the maximum registration expire time you expect to see. Without this, the TLS connection established during registration is likely to be dropped before the next re-register happens. That, in turn, is likely to cause problems with requests sent to a UA behind NAT or behind a firewall (most are) meaning that the UA can make calls but cannot always receive them.

Here’s another small detail to watch out for, especially during testing: When a device has registered via TCP or TLS, the established network-level connection needs to remain active. However, every time you re-start the OpenSIPS service on your server it will break the network connection. This doesn’t happen with UDP. You should therefore try to avoid re-starting the service too many times when testing because it could send you up a blind alley regarding potential bugs and problems that would simply not happen if the service was left running uninterrupted.

Configuring the client device

There are too many client devices available for it to be possible to describe how they are all configured. However, I can offer some guidance based on a few specific examples and it will almost certainly be applicable to many others. My testing was done using self-signed certificates for the OpenSIPS server. This has the advantage of avoiding fees, but the disadvantage that your client devices will have very little trust for the server certificate. Sometimes, in this situation, you can disable server cert verification on the client app or you can install your own CA certificate on the client either as a generic device default or as an explicit file used by the VoIP app.

Using a Bria softphone, set up the account as usual and then select “Account Advanced” (under the heading Account Extras). Scroll down to the section entitled “Transport and Security” and tap on the SIP Transport setting which opens a set of radio buttons offering UDP, TCP, TLS and Auto. Select TLS. If you are using self-signed rather than commercial certificates on the server, you will almost certainly need to un-tick the option “Verify TLS Cert” which is in the TLS Cert Management section.

I found it more difficult setting up a Zoiper softphone, although the situation was confused because there was a curious lack of persistence on the ‘Disable certificate verification’ option. I recommend that you completely exit the Zoiper app then re-launch it after setting up an account because some settings may change through a restart.

Most of the relevant settings for the Zoiper softphone are found under the Accounts tab on the main “Preferences” form; select the account – or create a new one – and insert the usual settings for Domain, Username and Password on the ‘General’ tab. On the ‘Advanced’ tab of the user account, select “Use TLS transport” from the relevant drop-down and select the “Don’t use” option in the section called “TLS client certificate”.

You’re not done yet. Now click on the cog symbol at the top of the preferences form to get to the global ‘Advanced’ settings and in that select the “Security” tab. I found it necessary to copy the CA certificate (or certificate chain) to my device and then insert the path to this file in the box labelled “Extra CA Certificates (PEM)”. I also set Protocol suite to TLS v1 rather than SSL v2/3 and ticked the box ‘Use only strong ciphers’.

Testing it on an old Snom 360 phone with v7 firmware, the simplest way to make it use TLS was by adding the transport parameter to the end of the registrar address (or you can use the Outbound Proxy box too). I was testing on a LAN and set the Outbound Proxy as follows:

192.168.0.111;transport=tls

Please note that newer Snom phones may have stricter rules for TLS connections and verification of certificates etc.

On the Yealink T21P phone, there is a drop-down selector for “Transport” on the main account form. Set this to TLS. On the same form, set the Server Host port to 5061 or whatever port number you set on the server.

Next, go to the Security tab and select “Trusted Certificates” from the navigation panel on the left. When using self-signed certificates, I always set this as follows:

If you are using commercial server certificates, it should be possible to enable the option to only accept trusted certificates.

On my T21P E2 model, it was also necessary to change a setting under the Security tab in the section “Server Certificates”. Based on the description given on the Yealink data entry form, it doesn’t make a lot of sense. However, purely from trial-and-error I found it necessary to change the drop-down box labelled “Device Certificates” to Custom Certificates as shown below. This was not necessary on an older T26 handset running older firmware.

  What did you think of this article? Please vote by clicking a coloured button
 (33%) (67%) (0%) (0%)

1 thought on “Using TLS in OpenSIPS v2.2.x

조회 수 :
482
등록일 :
2017.09.14
14:49:57 (*.160.88.18)
엮인글 :
http://webs.co.kr/index.php?document_srl=3311886&act=trackback&key=5f0
게시글 주소 :
http://webs.co.kr/index.php?document_srl=3311886
List of Articles
번호 제목 글쓴이 날짜 조회 수
140 openssl 을 이용한 인증서 생성 절차를 정리한다. 개인키 CSR SSL 인증서 파일 생성 admin 2017-09-14 482
139 Documentation -> Tutorials -> TLS opensips.cfg admin 2017-09-14 488
» Using TLS in OpenSIPS v2.2.x admin 2017-09-14 482
137 opensips tls cfg admin 2017-09-14 480
136 How to setup a Jabber / XMPP server on Debian 8 (jessie) using ejabberd admin 2017-09-13 495
135 SIP to XMPP Gateway + SIP Presence Server opensips admin 2017-09-13 498
134 OpenSIPS command line tricks admin 2017-09-13 481
133 Fail2Ban Freeswitch How to secure admin 2017-09-12 516
132 opensips.cfg. sample admin 2017-09-12 497
131 Advanced SIP scenarios with Event-based-Routing admin 2017-09-11 514
130 PUSH SERVER 푸시서버 안드로이드 애플 admin 2017-09-11 517
129 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅(리눅스 기준) admin 2017-09-09 520
128 rtpengine config basic and opensips configuration and command admin 2017-09-06 546
127 WebSocket Transport using OpenSIPS configuration 웹 소켓 컨피그레이션 기본 admin 2017-09-06 542
126 OpenSIPS basic configuration script 기본 컨피그 admin 2017-09-05 559
125 rtpengine install and config admin 2017-09-05 569
124 Installing RTPEngine on Ubuntu 14.04 admin 2017-09-05 576
123 compile only the textops module make modules=modules/textops modules admin 2017-09-05 564
122 opensips command /sbin/opensipsctl detail admin 2017-09-04 565
121 2017 08 31 opensips 2.32 install debian8.8 module install compile err modules admin 2017-09-04 563
120 Build-Depends debian 8.8 opensips 2.3 admin 2017-09-04 540
119 What is new in 2.3.0 opensips admin 2017-09-04 585
118 ubuntu 安装配置opensips,rtpproxy,mediaproxy admin 2017-09-04 562
117 How to install Mediaproxy 2.5.2 on CentOS 6 64 bit admin 2017-09-04 570
116 Using TLS in OpenSIPS v2.2.x configuration admin 2017-09-04 578
115 How to 2.3 download , OpenSIPS new apt repository. DEBs for Debian / Ubuntu admin 2017-09-02 569
114 You can install CDRTool in the following ways: admin 2017-09-01 581
113 How to Install OpenSIPS 2.1.2 Server on Ubuntu 15.04 admin 2017-09-01 575
112 Opensips 2.32 download admin 2017-09-01 590
111 OpenSIPS 2.3 install admin 2017-09-01 594
110 JsSIP: The JavaScript SIP Library admin 2017-09-01 585
109 WebSocket Transport using OpenSIPS admin 2017-09-01 600
108 A2Billing and OpenSIPS – Part 1 admin 2017-08-29 618
107 A2Billing and OpenSIPS – Part 2 admin 2017-08-29 615
106 A2Billing and OpenSIPS – Part 3 admin 2017-08-29 607
105 OpenSIPS 2.3 philosophy admin 2017-08-17 672
104 The timeline for OpenSIPS 2.3 is admin 2017-08-17 756
103 OpenSIPS Control Panel and Homer integration admin 2017-08-17 667
102 Opensips sip capture re designed admin 2017-07-16 892
101 WebRTC with OpenSIPS WebSocket is a protocol provides full-duplex admin 2015-04-04 5606
100 WebSocket Support in OpenSIPS 2.1 admin 2015-04-04 6249
99 OpenSIPS 2.1 (rc) is available, download now! admin 2015-03-22 5852
98 Service Provision Using Asterisk & OpenSIPS - AstriCon 2014 admin 2015-02-25 7418
97 SIP Signaling-Messages OpenSIPS Running On Multicore Server file admin 2014-11-02 15094
96 opensips.cfg for Asterisk admin 2014-10-20 17192
95 A2Billing and OpenSIPS config admin 2014-10-20 16581
94 Jitsi Videobridge meets WebRTC admin 2014-10-18 16594
93 A Survey of Open Source Products for Building a SIP Communication Platform admin 2014-10-18 16274
92 Script Function , Module Index v1.11 함수 모듈 opensips admin 2014-10-14 16432
91 Opensips TM module enables stateful processing of SIP transactions admin 2014-10-04 14193
90 kamailio.cfg configuration Example admin 2014-10-04 16268
89 opensips NAT Traversal Module admin 2014-10-02 15723
88 UAC Registrant Module admin 2014-09-28 17169
87 MediaProxy 2.3.x & OpenSIPS 1.5.x Integration admin 2014-08-24 16275
86 RTPPROXY Admin Guide admin 2014-08-24 16637
85 CANCEL MESSAGE not handled correctly admin 2014-08-23 16468
84 [Sipdroid] SIP data collection study tour admin 2014-08-23 17064
83 [OpenSIPS-Users] Opensips 1.10 NAT radius aaa admin 2014-08-23 17063
82 OpenSIPS Consultancy Pricing module install Server 판매 또는 설치및 컨설팅 가이드 admin 2014-08-23 16893
81 ICE: The ultimate way of beating NAT in SIP admin 2014-08-23 16725
80 Many OPENSIPS Configuration Examples This will Help you admin 2014-08-23 16434
79 Real-time Charging System for Telecom & ISP environments admin 2014-08-23 17012
78 OPENSIPS EBOOK admin 2014-08-21 16991
77 Opensips Documentation Function admin 2014-08-21 17207
76 Presence Tutorial OpenXCAP setup admin 2014-08-18 16232
75 Opensips Modules Documentation admin 2014-08-18 17080
74 A lightweight RPC library based on XML and HTTP admin 2014-08-18 16594
73 opensips Nat script with RTPPROXY - English Good perfect admin 2014-08-15 14672
72 OpenSIPS Control Panel (OCP) Installation Guide Good admin 2014-08-13 14589
71 Installation and configuration process record opensips opensips-cp admin 2014-08-13 23682
70 OpenSIPS as Homer Capture server admin 2014-08-13 14410
69 OpenSIPS , default script , Types of Routs , Routing in SIP, Video lecture admin 2014-08-13 16351
68 Configuracion de Kamailio 3.3 con NAT Traversal y XCAP. admin 2014-08-12 16752
67 Under RHEL6.5 install OpenSIPS 1.11.1 tls admin 2014-08-12 15630
66 OpenSIPS/OpenSER-a versatile SIP Server cfg admin 2014-08-11 17136
65 Kamailio Nat Traversal using RTPProxy admin 2014-08-11 16733
64 MediaProxy wiki page install configuration admin 2014-08-11 16709
63 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅 admin 2014-08-11 25071
62 MediaProxy Installation Guide admin 2014-08-10 16298
61 RTPProxy 1.2.x Installation & Integration with OpenSIPS 1.5x admin 2014-08-10 17456
60 Opensips Installation, How to. Good guide wiki page admin 2014-08-10 14360
59 OpenSIPS Installation Notes admin 2014-08-09 13511
58 Installation and configuration process record opensips 1.9.1 admin 2014-08-09 15958
57 opensips 1.11.2 install Good Giide admin 2014-08-09 15947
56 fusionPBX install debian wheezy admin 2014-08-09 16590
55 opensips 1.11.2 install guide good 인스톨 가이드 admin 2014-08-09 15968
54 SigIMS IMS Platform admin 2014-05-24 17355
53 2013 2012년 분야별 최고의 오픈소스 소프트웨어 124선 admin 2014-04-05 16727
52 Video conference server OpenMCU-ru - Introduction admin 2014-04-01 19395
51 SIPSorcery admin 2014-03-18 17531
50 Ekiga (formely known as GnomeMeeting) is an open source SoftPhone admin 2014-03-12 17938
49 telepresence: Open Source SIP Telepresence/MCU admin 2014-03-12 19667
48 SIP PBX - OpenSIPS and Asterisk configuration admin 2014-03-12 15514
47 Conference Support in Kamailio (OpenSER) admin 2014-03-12 18020
46 OpenSIPS configuration for 2 or more FreeSWITCH installs admin 2014-03-12 15477
45 The Impact of TLS on SIP Server Performance file admin 2014-03-12 17814
44 book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki admin 2014-03-12 16642
43 Where to check OpenSIPS does not start? admin 2014-03-09 17239
42 opensips-1.10.0_src.tar.gz experimental source code documentation admin 2014-03-09 18157
41 Kamailo OpenSIPs installation on Debian admin 2014-03-09 16357
40 Using the openSIPS Registrant Module admin 2014-03-09 18101
39 RTPproxy Frequentry Asked Questions (FAQ) ¶ admin 2014-03-07 16152
38 Building Telephony Systems with OpenSIPS 1.6 RTPProxy + OpenSIPS 1.7 admin 2014-03-07 17656
37 Installing RTPproxy Start RTPproxy in Bridged mode very good admin 2014-03-07 21297
36 OpenSIPS Control Panel (OCP) Installation Guide admin 2014-03-06 16015
35 OpenSIPS Control Panel install guide admin 2014-03-06 16845
34 rtpproxy Module admin 2014-03-06 17668
33 MediaProxy Installation Guide admin 2014-03-06 18434
32 How to install OpenSIPS on CentOS debian module add xcap admin 2014-03-06 18244
31 Problem with presence_xml module Opensips 1.9 admin 2014-03-06 17791
30 Building Telephony Systems with OpenSIPS 1.6 books file admin 2014-03-06 18593
29 Multimedia Service Platform admin 2014-03-06 17078
28 How to install OpenSIPS on CentOS Debian etc admin 2014-03-05 18095
27 Opensips Installation, How to. admin 2014-03-05 14483
26 100% CPU usage opensips admin 2014-03-05 17337
25 A2Billing and OpenSIPS admin 2014-03-04 18221
24 Opensips_1.9 install guide this is great I like this admin 2014-03-04 22315
23 Opensips install debian admin 2014-03-03 18369
22 Open Source VOIP applications, both clients and servers. admin 2013-11-20 18653
21 OfficeSIP Server is freeware VoIP, SIP server for Windows admin 2013-09-11 19326
20 My new toy: Bluebox-ng admin 2013-04-06 32355
19 Flooding Asterisk, Freeswitch and Kamailio with Metasploit admin 2013-04-06 28065
18 Asterisk Installation Asterisk Realtime configuration admin 2013-04-06 22093
17 The SIP Router Project admin 2013-04-06 21178
16 Kamailio :: A Quick Introduction admin 2013-04-06 18208
15 Welcome to the Smartvox Knowledgebase admin 2013-04-06 18953
14 Kamailio 3.3.x and Asterisk 10.7.0 Realtime Integration using Asterisk Database admin 2013-04-06 21835
13 OpenSIPS vs Asterisk admin 2013-04-06 28074
12 OpenSER_from_an_asterisk_POV file admin 2013-04-06 18903
11 Using SIP Devices behind NAT OPensip Asterisk IPPhone SIP Telephony file admin 2013-03-31 35117
10 rfc5766-turn-server admin 2013-03-21 20736
9 OpenSIPS Kick Start‎: VIDEO admin 2013-02-20 18145
8 OPENSIP Training VIDEO admin 2013-02-20 18058
7 What is new in 1.8.0 opensip admin 2012-05-21 39315
6 Asterisk v1.4x built on FreeBSD v7.1 UNIX admin 2012-01-06 29766
5 SIP 트래픽 생성 테스트 툴 admin 2011-12-23 38301
4 사설 망 환경에서 SIP 의 NAT Traversal 문제 admin 2011-12-23 33061
3 the OpenSIPS Project OpenSIP admin 2011-12-14 18146
2 OpenH323 Gatekeeper - The GNU Gatekeeper admin 2011-12-14 22889
1 The FreeRADIUS Project admin 2011-12-14 19371