Notes on TLS support for CINEMA

Introduction

From CINEMA v1.20, OpenSSL based TLS/SSL support has been added to sipd and sipua on an experimental basis. sipd can accept and proxy SIP requests using TLS as transport. We will continue to enhance the TLS functionality of sipd and sipua, as well as add this feature to sipconf in subsequent releases.

Environment

Binary versions of sipd and sipua are distributed with compiled OpenSSL support. In order to use these binary releases, you need to have several support libraries. These libraries are installed automatically by the installer

In order to compile source distributions of sipd and sipua with OpenSSL, you need to install a compiled version of OpenSSL. You can download it from the support directory of the downloads page.

To compile on a Unix platform, you need to use the --with-tls Configure option. For example, if you have installed OpenSSL at /opt/openssl, then you should specify --with-tls=/opt/openssl. Windows source distributions will use TLS by default, hence you need to download the openssl_win32.zip file and install it in your root folder (e.g., C:\). If you do not want to compile with TLS support, you need to remove the USE_TLS macro from libcine, libsip, sipd, libsip_nosql, and sipua projects.

Run-Time options

TLS support can be selectively enabled or disabled in sipd by setting the StartSSL config parameter. See sipd documentation for more.

Dependencies

In order to initialize the SSL library, you need to setup several files:

rand.dat
rand.dat will contain random bytes used for seeding the cryptographic random number generator. To generate a rand file, using OpenSSL use,
openssl dgst * > rand.dat
(* tells openssl to take a digest on all the files in the current directory. To get good randomness, you should put some large binary files before running this command).
cert.pem, privkey.key
Server certificate/key pair or client certificate/key pair. Follow instructions contained in Generating certificates. While generating the certificate, you must give the Common name as the host name or domain name as outlined in the section Server authentication.
Currently the pass phrase "sipd" is hardcoded into sipua, and hence you need to use this pass phrase for the sipua certificate. However, for sipd certificates you can use your own pass phrase. This is configured into sipd through the CINEMA web interface.
A configuration file (openssl.cnf) contains several configuration parameters such as your name, organization etc that are placed in the certificate. A sample openssl.cnf file is included along with the distribution.
calist.pem
This is a file containing all certification authorities that you trust. Currently, this is not actually used by sipua or sipd, so you can just make a copy of the file cert.pem and rename it calist.pem
dh1024.pem
In order to generate shared session keys, OpenSSL needs some parameters to initialize the Diffie-Helman key generator. You can use OpenSSL to generate this, by running the command:
openssl gendh -rand rand.dat -out dh1024.pem

Server authentication

sipua will authenticate the peer to which it connects to (a Proxy server or another UAS) using the Common Name contained in its certificate. The common name should match the host name or a variant of domain name. For example, a host thalys.cs.columbia.edu can give a certificate that has either thalys.cs.columbia.edu or cs.columbia.edu as the common name. This will be enhanced in future releases.

Making TLS requests with sipua

To use TLS for all your connection requests from sipua to your outbound proxy, use the commandset proxy sips:proxy.mydomain.com (from sipua v1.22) set proxy sip:proxy.mydomain.com:5061;transport=tls (for sipua v1.20 and v1.21)
Once this is done, all SIP commands that you key in, will be sent to the proxy using TLS.

Future Enhancements

Currently, the security mechanism outlined in this document is for initial experiments. We will add more information about setting up secure servers by next release.

Acknowledgements

The openssl commands outlined here are partially due to Jeremy Smith and Joshua Boverhof.
Li Liao did the initial implementation of a simple SSL server and client.

Last updated by Sankaran Narayanan@ Internet Real-Time Laboratory