한국어

소프트스위치

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

     페북공유

   ◎위챗 : speedseoul


  
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app



http://kb.smartvox.co.uk/opensips/using-tls-in-opensips-v2-2-x/#comment-1027


Using TLS in OpenSIPS v2.2.x

Using TLS with OpenSIPS: Why do we need it and how is it configured? While support for TLS existed in version 1, the configuration changed significantly in version 2. This article briefly covers the new v2 setup.

The role of TLS in VoIP calls

Sadly, we are all learning fast that unencrypted communication over the Internet is risky. You will no doubt be familiar with the use of https which provides secure, encrypted web browser sessions for things like online banking and e-shopping. The underlying mechanism for this is TLS (Transport Layer Security). The same mechanism is also available for SIP thereby allowing VoIP calls to be set up over a secure communication channel.

There are obvious commercial reasons for an ITSP to be able to offer this as a premium service or just as an inducement for customers to choose them rather than a rival who cannot offer it. In addition, TLS is likely to work better for mobile SIP clients because it is based on TCP rather than UDP so it is useful to have it as an option to allow support of the widest possible range of User Agent devices. Furthermore, it may be obligatory to use TLS for some applications such as where credit card numbers are being entered over the phone.

It is important to appreciate that SIP over TLS only provides encryption of the call’s setup messages and does not provide encryption of the media streams. If you require the media to be encrypted, then it is necessary to use SRTP rather than RTP. Usually, where media encryption is required, it also necessary to use TLS for the SIP messages to ensure that important meta-data cannot be intercepted during call setup. Configuration for SRTP is likely to be required on the end-points (FreeSwitch, Asterisk, etc) behind your OpenSIPS proxy and so is not discussed here.

Configuring OpenSIPS v2.2.x to support TLS communication

If you installed OpenSIPS using a source tarball, it is possible some of the required modules will not have been built. This is because they are treated as “not required” by default. You can check if they are present by looking in the <lib>/opensips/modules directory and looking for files proto_tls.so and tls_mgm.so, where <lib> is likely to be one of /lib or /lib64 or /usr/lib or /usr/lib64. If those files are not present alongside all the other “.so” files, then it will be necessary to rebuild from source, but first go into the make menuconfig forms and select ‘Configure Compile Options’ then ‘Configure Excluded Modules’ then select the two previously excluded modules; save; rebuild.

Looking at the opensips.cfg file, using version 2.2.3, you will need to include a listen statement a bit like this:

listen=tls:10.34.56.78:5061

OpenSIPS can listen on multiple ports and multiple interfaces using various protocols. So it is perfectly acceptable to have more than one listen statement and to have, for example, port 5060 listening for UDP connections alongside port 5061 listening for TLS.

Load the following modules, in addition to the usual ones:

loadmodule "tls_mgm.so"
loadmodule "proto_tls.so"

…and configure various parameters in the tls_mgm module using modparam statements, including:

modparam("tls_mgm", "tls_method", "SSLv23")        # This option seems to work nicely in most cases
modparam("tls_mgm", "certificate", "/etc/opensips/tls/mycerts/mycertfile.pem")  # Path to your server certificate file
modparam("tls_mgm", "private_key", "/etc/opensips/tls/mycerts/mykeyfile.pem")   # The path to your key certificate file

I was using self-signed certificates (.pem files), having previously set up my own Certificate Authority. If you are trying something similar, make sure you override SHA-1 encryption which openssl is likely to set as the default (it is no longer considered secure) and at least use SHA256. I did this by editing my openssl.cnf file and changing this line to

default_md = sha256
(previously it said default_md=md5)

You can, I believe, also set the desired encryption as a command line argument when you run openssl from the command line.

For my test rig, I added a modparam statement to define the “ca_list” parameter. This defines the path to a file containing the CA’s certificate or a certificate chain – again this was a .pem file. You may need this for commercially issued certs too.

My settings for certificate verification requirements were fairly easy-going, as follows:

modparam("tls_mgm", "verify_cert", "1")
modparam("tls_mgm", "require_cert", "0")

…and because I was using self-signed certificates it was also necessary to disable the stricter certificate checks on the client device too.

There is nothing special you do in the route blocks, but if you are setting up OpenSIPS as a Registrar server, a useful tip is to set the global parameter “tcp_connection_lifetime” to a value that is just larger than the maximum registration expire time you expect to see. Without this, the TLS connection established during registration is likely to be dropped before the next re-register happens. That, in turn, is likely to cause problems with requests sent to a UA behind NAT or behind a firewall (most are) meaning that the UA can make calls but cannot always receive them.

Here’s another small detail to watch out for, especially during testing: When a device has registered via TCP or TLS, the established network-level connection needs to remain active. However, every time you re-start the OpenSIPS service on your server it will break the network connection. This doesn’t happen with UDP. You should therefore try to avoid re-starting the service too many times when testing because it could send you up a blind alley regarding potential bugs and problems that would simply not happen if the service was left running uninterrupted.

Configuring the client device

There are too many client devices available for it to be possible to describe how they are all configured. However, I can offer some guidance based on a few specific examples and it will almost certainly be applicable to many others. My testing was done using self-signed certificates for the OpenSIPS server. This has the advantage of avoiding fees, but the disadvantage that your client devices will have very little trust for the server certificate. Sometimes, in this situation, you can disable server cert verification on the client app or you can install your own CA certificate on the client either as a generic device default or as an explicit file used by the VoIP app.

Using a Bria softphone, set up the account as usual and then select “Account Advanced” (under the heading Account Extras). Scroll down to the section entitled “Transport and Security” and tap on the SIP Transport setting which opens a set of radio buttons offering UDP, TCP, TLS and Auto. Select TLS. If you are using self-signed rather than commercial certificates on the server, you will almost certainly need to un-tick the option “Verify TLS Cert” which is in the TLS Cert Management section.

I found it more difficult setting up a Zoiper softphone, although the situation was confused because there was a curious lack of persistence on the ‘Disable certificate verification’ option. I recommend that you completely exit the Zoiper app then re-launch it after setting up an account because some settings may change through a restart.

Most of the relevant settings for the Zoiper softphone are found under the Accounts tab on the main “Preferences” form; select the account – or create a new one – and insert the usual settings for Domain, Username and Password on the ‘General’ tab. On the ‘Advanced’ tab of the user account, select “Use TLS transport” from the relevant drop-down and select the “Don’t use” option in the section called “TLS client certificate”.

You’re not done yet. Now click on the cog symbol at the top of the preferences form to get to the global ‘Advanced’ settings and in that select the “Security” tab. I found it necessary to copy the CA certificate (or certificate chain) to my device and then insert the path to this file in the box labelled “Extra CA Certificates (PEM)”. I also set Protocol suite to TLS v1 rather than SSL v2/3 and ticked the box ‘Use only strong ciphers’.

Testing it on an old Snom 360 phone with v7 firmware, the simplest way to make it use TLS was by adding the transport parameter to the end of the registrar address (or you can use the Outbound Proxy box too). I was testing on a LAN and set the Outbound Proxy as follows:

192.168.0.111;transport=tls

Please note that newer Snom phones may have stricter rules for TLS connections and verification of certificates etc.

On the Yealink T21P phone, there is a drop-down selector for “Transport” on the main account form. Set this to TLS. On the same form, set the Server Host port to 5061 or whatever port number you set on the server.

Next, go to the Security tab and select “Trusted Certificates” from the navigation panel on the left. When using self-signed certificates, I always set this as follows:

If you are using commercial server certificates, it should be possible to enable the option to only accept trusted certificates.

On my T21P E2 model, it was also necessary to change a setting under the Security tab in the section “Server Certificates”. Based on the description given on the Yealink data entry form, it doesn’t make a lot of sense. However, purely from trial-and-error I found it necessary to change the drop-down box labelled “Device Certificates” to Custom Certificates as shown below. This was not necessary on an older T26 handset running older firmware.

  What did you think of this article? Please vote by clicking a coloured button
 (33%) (67%) (0%) (0%)

1 thought on “Using TLS in OpenSIPS v2.2.x

조회 수 :
4767
등록일 :
2017.09.14
14:49:57 (*.160.88.18)
엮인글 :
http://webs.co.kr/index.php?document_srl=3311886&act=trackback&key=50a
게시글 주소 :
http://webs.co.kr/index.php?document_srl=3311886
List of Articles
번호 제목 글쓴이 조회 수 추천 수 날짜
162 Opensips Gateway between SIP and SMPP messages admin 79   2019-02-19
 
161 smpp sms opensips admin 76   2019-02-19
 
160 Busy Lamp Field (BLF) feature on Opensips 2.4.0 with Zoiper configuration admin 1784   2018-05-29
 
159 Documentation -> Tutorials -> WebSocket Transport using OpenSIPS admin 1650   2018-05-17
 
158 List of SIP response codes admin 3306   2017-12-20
 
157 opensips/modules/event_routing/ Push Notification Call pickup admin 2868   2017-12-20
 
156 opensips push notification How to detail file admin 2770   2017-12-20
 
155 OpenSIPS routing logic admin 2844   2017-12-12
 
154 OpenSIPS example configuration admin 2827   2017-12-12
 
153 opensips log output admin 2831   2017-12-11
 
152 opensips complete configuration example admin 2920   2017-12-10
 
151 Opensips1.6 ebook detail configuration and SIP signal and NAT etc file admin 2920   2017-12-10
 
150 dictionary.opensips radius admin 3838   2017-12-09
 
149 what is record_route() in opensips ? admin 3763   2017-12-09
 
148 what is loose_route() in opensips ? file admin 3884   2017-12-09
 
147 in opensips what is lookup(domain [, flags [, aor]]) admin 3797   2017-12-09
 
146 in opensips db_does_uri_exist() what is admin 3642   2017-12-09
 
145 in opensips what is has_totag() admin 3794   2017-12-09
 
144 opensips exec module admin 3971   2017-12-08
 
143 opensips push notification How to admin 3743   2017-12-07
 
142 OpenSIPS Module Interface admin 3880   2017-12-07
 
141 opensips configuration config explain easy basic 오픈쉽스 컨피그레이션 기본 설명 file admin 3929   2017-12-07
 
140 openssl 을 이용한 인증서 생성 절차를 정리한다. 개인키 CSR SSL 인증서 파일 생성 admin 5009   2017-09-14
 
139 Documentation -> Tutorials -> TLS opensips.cfg admin 4786   2017-09-14
 
» Using TLS in OpenSIPS v2.2.x admin 4767   2017-09-14
http://kb.smartvox.co.uk/opensips/using-tls-in-opensips-v2-2-x/#comment-1027 Using TLS in OpenSIPS v2.2.xMarch 16, 2017 by Smartvox Using TLS with OpenSIPS: Why do we need it and how is it configured? W...  
137 opensips tls cfg admin 4901   2017-09-14
 
136 How to setup a Jabber / XMPP server on Debian 8 (jessie) using ejabberd admin 5407   2017-09-13
 
135 SIP to XMPP Gateway + SIP Presence Server opensips admin 4746   2017-09-13
 
134 OpenSIPS command line tricks admin 4719   2017-09-13
 
133 Fail2Ban Freeswitch How to secure admin 5000   2017-09-12
 
132 opensips.cfg. sample admin 4712   2017-09-12
 
131 Advanced SIP scenarios with Event-based-Routing admin 4858   2017-09-11
 
130 PUSH SERVER 푸시서버 안드로이드 애플 admin 5219   2017-09-11
 
129 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅(리눅스 기준) admin 12593   2017-09-09
 
128 rtpengine config basic and opensips configuration and command admin 5012   2017-09-06
 
127 WebSocket Transport using OpenSIPS configuration 웹 소켓 컨피그레이션 기본 admin 4828   2017-09-06
 
126 OpenSIPS basic configuration script 기본 컨피그 admin 4963   2017-09-05
 
125 rtpengine install and config admin 4911   2017-09-05
 
124 Installing RTPEngine on Ubuntu 14.04 admin 5004   2017-09-05
 
123 compile only the textops module make modules=modules/textops modules admin 4903   2017-09-05
 
122 opensips command /sbin/opensipsctl detail admin 4988   2017-09-04
 
121 2017 08 31 opensips 2.32 install debian8.8 module install compile err modules admin 4940   2017-09-04
 
120 Build-Depends debian 8.8 opensips 2.3 admin 4820   2017-09-04
 
119 What is new in 2.3.0 opensips admin 5586   2017-09-04
 
118 ubuntu 安装配置opensips,rtpproxy,mediaproxy admin 5189   2017-09-04
 
117 How to install Mediaproxy 2.5.2 on CentOS 6 64 bit admin 5393   2017-09-04
 
116 Using TLS in OpenSIPS v2.2.x configuration admin 5071   2017-09-04
 
115 How to 2.3 download , OpenSIPS new apt repository. DEBs for Debian / Ubuntu admin 5042   2017-09-02
 
114 You can install CDRTool in the following ways: admin 5255   2017-09-01
 
113 How to Install OpenSIPS 2.1.2 Server on Ubuntu 15.04 admin 5252   2017-09-01
 
112 Opensips 2.32 download admin 5020   2017-09-01
 
111 OpenSIPS 2.3 install admin 5306   2017-09-01
 
110 JsSIP: The JavaScript SIP Library admin 5293   2017-09-01
 
109 WebSocket Transport using OpenSIPS admin 5378   2017-09-01
 
108 A2Billing and OpenSIPS – Part 1 admin 5101   2017-08-29
 
107 A2Billing and OpenSIPS – Part 2 admin 4997   2017-08-29
 
106 A2Billing and OpenSIPS – Part 3 admin 5214   2017-08-29
 
105 OpenSIPS 2.3 philosophy admin 5707   2017-08-17
 
104 The timeline for OpenSIPS 2.3 is admin 5882   2017-08-17
 
103 OpenSIPS Control Panel and Homer integration admin 5821   2017-08-17
 
102 Opensips sip capture re designed admin 5378   2017-07-16
 
101 WebRTC with OpenSIPS WebSocket is a protocol provides full-duplex admin 10357   2015-04-04
 
100 WebSocket Support in OpenSIPS 2.1 admin 11248   2015-04-04
 
99 OpenSIPS 2.1 (rc) is available, download now! admin 10249   2015-03-22
 
98 Service Provision Using Asterisk & OpenSIPS - AstriCon 2014 admin 11962   2015-02-25
 
97 SIP Signaling-Messages OpenSIPS Running On Multicore Server file admin 19571   2014-11-02
 
96 opensips.cfg for Asterisk admin 21764   2014-10-20
 
95 A2Billing and OpenSIPS config admin 21096   2014-10-20
 
94 Jitsi Videobridge meets WebRTC admin 22283   2014-10-18
 
93 A Survey of Open Source Products for Building a SIP Communication Platform admin 20725   2014-10-18
 
92 Script Function , Module Index v1.11 함수 모듈 opensips admin 20954   2014-10-14
 
91 Opensips TM module enables stateful processing of SIP transactions admin 18635   2014-10-04
 
90 kamailio.cfg configuration Example admin 20867   2014-10-04
 
89 opensips NAT Traversal Module admin 20185   2014-10-02
 
88 UAC Registrant Module admin 21935   2014-09-28
 
87 MediaProxy 2.3.x & OpenSIPS 1.5.x Integration admin 21079   2014-08-24
 
86 RTPPROXY Admin Guide admin 21458   2014-08-24
 
85 CANCEL MESSAGE not handled correctly admin 21222   2014-08-23
 
84 [Sipdroid] SIP data collection study tour admin 21674   2014-08-23
 
83 [OpenSIPS-Users] Opensips 1.10 NAT radius aaa admin 21680   2014-08-23
 
82 OpenSIPS Consultancy Pricing module install Server 판매 또는 설치및 컨설팅 가이드 admin 21577   2014-08-23
 
81 ICE: The ultimate way of beating NAT in SIP admin 21235   2014-08-23
 
80 Many OPENSIPS Configuration Examples This will Help you admin 20918   2014-08-23
 
79 Real-time Charging System for Telecom & ISP environments admin 21645   2014-08-23
 
78 OPENSIPS EBOOK admin 21767   2014-08-21
 
77 Opensips Documentation Function admin 21535   2014-08-21
 
76 Presence Tutorial OpenXCAP setup admin 21018   2014-08-18
 
75 Opensips Modules Documentation admin 21743   2014-08-18
 
74 A lightweight RPC library based on XML and HTTP admin 20960   2014-08-18
 
73 opensips Nat script with RTPPROXY - English Good perfect admin 19579   2014-08-15
 
72 OpenSIPS Control Panel (OCP) Installation Guide Good admin 19719   2014-08-13
 
71 Installation and configuration process record opensips opensips-cp admin 45649   2014-08-13
 
70 OpenSIPS as Homer Capture server admin 18869   2014-08-13
 
69 OpenSIPS , default script , Types of Routs , Routing in SIP, Video lecture admin 21010   2014-08-13
 
68 Configuracion de Kamailio 3.3 con NAT Traversal y XCAP. admin 21481   2014-08-12
 
67 Under RHEL6.5 install OpenSIPS 1.11.1 tls admin 20730   2014-08-12
 
66 OpenSIPS/OpenSER-a versatile SIP Server cfg admin 21651   2014-08-11
 
65 Kamailio Nat Traversal using RTPProxy admin 21233   2014-08-11
 
64 MediaProxy wiki page install configuration admin 21270   2014-08-11
 
63 오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅 admin 38495   2014-08-11
 
62 MediaProxy Installation Guide admin 20811   2014-08-10
 
61 RTPProxy 1.2.x Installation & Integration with OpenSIPS 1.5x admin 22031   2014-08-10
 
60 Opensips Installation, How to. Good guide wiki page admin 18989   2014-08-10
 
59 OpenSIPS Installation Notes admin 18523   2014-08-09
 
58 Installation and configuration process record opensips 1.9.1 admin 30834   2014-08-09
 
57 opensips 1.11.2 install Good Giide admin 21982   2014-08-09
 
56 fusionPBX install debian wheezy admin 21001   2014-08-09
 
55 opensips 1.11.2 install guide good 인스톨 가이드 admin 21262   2014-08-09
 
54 SigIMS IMS Platform admin 21595   2014-05-24
 
53 2013 2012년 분야별 최고의 오픈소스 소프트웨어 124선 admin 25662   2014-04-05
 
52 Video conference server OpenMCU-ru - Introduction admin 24169   2014-04-01
 
51 SIPSorcery admin 21989   2014-03-18
 
50 Ekiga (formely known as GnomeMeeting) is an open source SoftPhone admin 22406   2014-03-12
 
49 telepresence: Open Source SIP Telepresence/MCU admin 44022   2014-03-12
 
48 SIP PBX - OpenSIPS and Asterisk configuration admin 33488   2014-03-12
 
47 Conference Support in Kamailio (OpenSER) admin 28820   2014-03-12
 
46 OpenSIPS configuration for 2 or more FreeSWITCH installs admin 20470   2014-03-12
 
45 The Impact of TLS on SIP Server Performance file admin 22072   2014-03-12
 
44 book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki admin 21300   2014-03-12
 
43 Where to check OpenSIPS does not start? admin 21388   2014-03-09
 
42 opensips-1.10.0_src.tar.gz experimental source code documentation admin 22409   2014-03-09
 
41 Kamailo OpenSIPs installation on Debian admin 27240   2014-03-09
 
40 Using the openSIPS Registrant Module admin 22838   2014-03-09
 
39 RTPproxy Frequentry Asked Questions (FAQ) ¶ admin 20817   2014-03-07
 
38 Building Telephony Systems with OpenSIPS 1.6 RTPProxy + OpenSIPS 1.7 admin 21946   2014-03-07
 
37 Installing RTPproxy Start RTPproxy in Bridged mode very good admin 34569   2014-03-07
 
36 OpenSIPS Control Panel (OCP) Installation Guide admin 20525   2014-03-06
 
35 OpenSIPS Control Panel install guide admin 21716   2014-03-06
 
34 rtpproxy Module admin 21774   2014-03-06
 
33 MediaProxy Installation Guide admin 29221   2014-03-06
 
32 How to install OpenSIPS on CentOS debian module add xcap admin 22581   2014-03-06
 
31 Problem with presence_xml module Opensips 1.9 admin 22092   2014-03-06
 
30 Building Telephony Systems with OpenSIPS 1.6 books file admin 23078   2014-03-06
 
29 Multimedia Service Platform admin 21423   2014-03-06
 
28 How to install OpenSIPS on CentOS Debian etc admin 22250   2014-03-05
 
27 Opensips Installation, How to. admin 18847   2014-03-05
 
26 100% CPU usage opensips admin 21619   2014-03-05
 
25 A2Billing and OpenSIPS admin 22871   2014-03-04
 
24 Opensips_1.9 install guide this is great I like this admin 28739   2014-03-04
 
23 Opensips install debian admin 22692   2014-03-03
 
22 Open Source VOIP applications, both clients and servers. admin 23134   2013-11-20
 
21 OfficeSIP Server is freeware VoIP, SIP server for Windows admin 24290   2013-09-11
 
20 My new toy: Bluebox-ng admin 38486   2013-04-06
 
19 Flooding Asterisk, Freeswitch and Kamailio with Metasploit admin 40080   2013-04-06
 
18 Asterisk Installation Asterisk Realtime configuration admin 27112   2013-04-06
 
17 The SIP Router Project admin 26119   2013-04-06
 
16 Kamailio :: A Quick Introduction admin 23527   2013-04-06
 
15 Welcome to the Smartvox Knowledgebase admin 23881   2013-04-06
 
14 Kamailio 3.3.x and Asterisk 10.7.0 Realtime Integration using Asterisk Database admin 28721   2013-04-06
 
13 OpenSIPS vs Asterisk admin 69684   2013-04-06