한국어

소프트스위치

온누리070 플레이스토어 다운로드
    acrobits softphone
     온누리 070 카카오 프러스 친구추가온누리 070 카카오 프러스 친구추가친추
     카카오톡 채팅 상담 카카오톡 채팅 상담카톡
    
     라인상담
     라인으로 공유

    
공유하기
페북공유

   ◎위챗 : speedseoul


  
     PAYPAL
     
     PRICE
     

pixel.gif

    before pay call 0088 from app
글 수 171

book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki

admin

https://github.com/antonraharja/book-opensips-101/blob/master/content/0.%20Table%20of%20Contents.mediawiki



https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki



able of Contents

Preface

Secure call can be achieved by enabling TLS. Once implemented SIP UA can choose to use transport TLS instead of UDP or TCP. The advantage of choosing TLS is that the SIP traffic exchanged between SIP UA and OpenSIPS will be encrypted, meaning it will take a considerable amount of time and effort to read it without the encryption key, if not possible.

Please note that the media it self will not be protected by this setup. In order to also secure the media, SIP UA need to be configured to use mandatory SRTP. That will force SIP UA to encrypt the media before transfer.

Several free SIP UA examples known to work or provide TLS and SRTP:

To enable TLS support in OpenSIPS we need to follow these steps:

  1. OpenSIPS and its modules compiled with option TLS=1
  2. Create TLS certificates
  3. Configure opensips.cfg with TLS options
  4. Verify config and test

We already done the first step on compile time, so we will start with step 2 in this chapter.

Step 2: Create TLS certificates

Before we start please remember that our OpenSIPS is in /root/src/opensips/opensips-1.9.1-tls/ and our installed OpenSIPS config files are in /usr/local/etc/opensips/.

Copy example openssl certificates to /usr/local/etc/opensips/tls/:

 cd /root/src/opensips/opensips-1.9.1-tls/
 cp -rR etc/tls /usr/local/etc/opensips/

Re-create local root Certificate Authority (CA). First we need to edit the ca.conf:

 cd /usr/local/etc/opensips/tls/
 vi ca.conf

Look for Please update sentence somewhere in ca.conf, they are near the bottom of the file. Update certificates parameters to suit your setups. If possible the commonName parameter is unique.

Save ca.conf and exit editor.

Run this command to re-create root CA in /usr/local/etc/opensips/tls/rootCA/:

 opensipsctl tls rootCA

Continue the process creating certificates, now we need to create our server certificate:

 cd /usr/local/etc/opensips/tls/
 cp user.conf server.conf
 vi server.conf

Look for Please update sentence somewhere in server.conf, they are quite easy to find. Update certificates parameters to suit your setups. Make sure that commonName parameter is pointing to OpenSIPS server IP, or your domain name that will be use as OpenSIPS server IP.

Run this command to create server certificate in /usr/local/etc/opensips/tls/server/:

 opensipsctl tls userCERT server

There will be 3 important files created, they are:

  • /usr/local/etc/opensips/tls/server/server-cert.pem
  • /usr/local/etc/opensips/tls/server/server-privkey.pem
  • /usr/local/etc/opensips/tls/server/server-calist.pem.

Step 3: Configure opensips.cfg with TLS options

Edit /usr/local/etc/opensips/opensips.cfg and locate for option disable_tls. By default it should have sets disable_tls=yes, meaning TLS is disabled.

Change disable_tls=yes to disable_tls=no and then paste below options:

 disable_tls = no
 listen = tls:192.168.56.45:5061
 tls_verify_server = 1
 tls_verify_client = 1
 tls_require_client_certificate = 0
 tls_method = TLSv1
 tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
 tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
 tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"

Save the file.

Please note that our OpenSIPS 101 in this exercise is 192.168.56.45. You should change this IP to your real OpenSIPS IP.

Step 4: Verify config and test

Verify your config:

 opensips -c

Restart OpenSIPS:

 /etc/init.d/opensips.init restart

Verify whether OpenSIPS is listening in port 5061:

 netstat -lnptu | grep opensips

Use server-calist.pem on client side, do not copy other files from /usr/local/etc/opensips/tls/server/.

You can use SIP UA with TLS supports to test TLS connection to OpenSIPS. SIP UA such as Minisip and SFLphone in Linux or MicroSIP and Blink in Windows are good to use as they are free and easy to use.

On SIP UA, if possible we should disable other protocol (sometime referred as transport) and make sure we have only select TLS. Use port 5061 instead of 5060 to connect to OpenSIPS using TLS.

Some SIP UA do not have special feature to load certificates from its GUI. In this case you should import your server-calist.pem into your OS certificate repository (sometime referred as key store).

Same goes to mobile devices such as Android phone or iPhone, you should load server-calist.pem into its certificate repository rather then to load it from mobile SIP UA GUI.

Debugging SIP traffics over TLS on port 5061:

 ngrep -p -q -W byline port 5061

You should notice packets are captured but displayed as unreadable characters.

Try to make calls in TLS mode, and also try with mandatory SRTP enabled.

--
Anton Raharja
http://www.antonraharja.com

이 게시물을...
조회 수 :
42542
등록일 :
2014.03.12
10:40:30 (*.251.139.148)
엮인글 :
http://webs.co.kr/index.php?document_srl=39210&act=trackback&key=8b0
게시글 주소 :
http://webs.co.kr/index.php?document_srl=39210
목록
List of Articles
번호 제목 글쓴이 조회 수 추천 수sort 날짜
141 Using SIP Devices behind NAT OPensip Asterisk IPPhone SIP Telephony file admin 227317   2013-03-31
 
140 Opensips_1.9 install guide this is great I like this admin 107885   2014-03-04
 
139 Opensips install debian admin 38231   2014-03-03
 
138 A2Billing and OpenSIPS admin 41876   2014-03-04
 
137 100% CPU usage opensips admin 54403   2014-03-05
 
136 Opensips Installation, How to. admin 75853   2014-03-05
 
135 How to install OpenSIPS on CentOS Debian etc admin 44963   2014-03-05
 
134 Multimedia Service Platform admin 37204   2014-03-06
 
133 Building Telephony Systems with OpenSIPS 1.6 books file admin 42501   2014-03-06
 
132 Problem with presence_xml module Opensips 1.9 admin 47914   2014-03-06
 
131 How to install OpenSIPS on CentOS debian module add xcap admin 45940   2014-03-06
 
130 MediaProxy Installation Guide admin 181553   2014-03-06
 
129 rtpproxy Module admin 38711   2014-03-06
 
128 OpenSIPS Control Panel install guide admin 96324   2014-03-06
 
127 OpenSIPS Control Panel (OCP) Installation Guide admin 280230   2014-03-06
 
126 Installing RTPproxy Start RTPproxy in Bridged mode very good admin 102945   2014-03-07
 
125 Building Telephony Systems with OpenSIPS 1.6 RTPProxy + OpenSIPS 1.7 admin 40527   2014-03-07
 
124 RTPproxy Frequentry Asked Questions (FAQ) ¶ admin 175843   2014-03-07
 
123 Using the openSIPS Registrant Module admin 52411   2014-03-09
 
122 Kamailo OpenSIPs installation on Debian admin 82814   2014-03-09
 
121 opensips-1.10.0_src.tar.gz experimental source code documentation admin 37933   2014-03-09
 
120 Ekiga (formely known as GnomeMeeting) is an open source SoftPhone admin 42663   2014-03-12
 
119 Where to check OpenSIPS does not start? admin 43047   2014-03-09
 
» book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki admin 42542   2014-03-12
https://github.com/antonraharja/book-opensips-101/blob/master/content/0.%20Table%20of%20Contents.mediawiki https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki able of Co...  
117 The Impact of TLS on SIP Server Performance file admin 42062   2014-03-12
 
116 OpenSIPS configuration for 2 or more FreeSWITCH installs admin 74967   2014-03-12
 
115 Conference Support in Kamailio (OpenSER) admin 86018   2014-03-12
 
114 SIP PBX - OpenSIPS and Asterisk configuration admin 163206   2014-03-12
 
113 telepresence: Open Source SIP Telepresence/MCU admin 181759   2014-03-12
 
112 SIPSorcery admin 44065   2014-03-18
 
목록
쓰기

Powered by (주)제이에스솔루션 인터넷전화 070 가입자 가입 소프트웨어 개발