Introduction

From CINEMA v1.20, OpenSSL based TLS/SSL support has been added to sipd and sipua on an experimental basis. sipd can accept and proxy SIP requests using TLS as transport. We will continue to enhance the TLS functionality of sipd and sipua, as well as add this feature to sipconf in subsequent releases.

Environment

Binary versions of sipd and sipua are distributed with compiled OpenSSL support. In order to use these binary releases, you need to have several support libraries. These libraries are installed automatically by the installer

In order to compile source distributions of sipd and sipua with OpenSSL, you need to install a compiled version of OpenSSL. You can download it from the support directory of the downloads page.

To compile on a Unix platform, you need to use the --with-tls Configure option. For example, if you have installed OpenSSL at /opt/openssl, then you should specify --with-tls=/opt/openssl. Windows source distributions will use TLS by default, hence you need to download the openssl_win32.zip file and install it in your root folder (e.g., C:\). If you do not want to compile with TLS support, you need to remove the USE_TLS macro from libcine, libsip, sipd, libsip_nosql, and sipua projects.

Run-Time options

TLS support can be selectively enabled or disabled in sipd by setting the StartSSL config parameter. See sipd documentation for more.

Dependencies

In order to initialize the SSL library, you need to setup several files:

Server authentication

sipua will authenticate the peer to which it connects to (a Proxy server or another UAS) using the Common Name contained in its certificate. The common name should match the host name or a variant of domain name. For example, a host thalys.cs.columbia.edu can give a certificate that has either thalys.cs.columbia.edu or cs.columbia.edu as the common name. This will be enhanced in future releases.

Making TLS requests with sipua

To use TLS for all your connection requests from sipua to your outbound proxy, use the command
set proxy sips:proxy.mydomain.com (from sipua v1.22)
set proxy sip:proxy.mydomain.com:5061;transport=tls (for sipua v1.20 and v1.21)

Once this is done, all SIP commands that you key in, will be sent to the proxy using TLS.

Future Enhancements

Acknowledgements


Last updated by Sankaran Narayanan@ Internet Real-Time Laboratory