asterisk/doc/siptls.txt

Asterisk SIP/TLS Transport
==========================

When using TLS the client will typically check the validity of the
certificate chain.  So that means you either need a certificate that is
signed by one of the larger CAs, or if you use a self signed certificate
you must install a copy of your CA certificate on the client.

So far this code has been test with:
- Asterisk as client and server (TLS and TCP)
- Polycom Soundpoint IP Phones (TLS and TCP)
	Polycom phones require that the host (ip or hostname) that is
	configured match the 'common name' in the certificate
- Minisip Softphone (TLS and TCP)
- Cisco IOS Gateways (TCP only)
- SNOM 360 (TLS only)
- Zoiper Biz Softphone (TLS and TCP)


sip.conf options
----------------
tlsenable=[yes|no]
	Enable TLS server, default is no

tlsbindaddr=<ip address>
	Specify IP address to bind TLS server to, default is 0.0.0.0

tlscertfile=</path/to/certificate>
	The server's certificate file. Should include the key and 
	certificate.  This is mandatory if your going to run a TLS server.

tlscafile=</path/to/certificate>
	If the server your connecting to uses a self signed certificate
	you should have their certificate installed here so the code can 
	verify the authenticity of their certificate.

tlscadir=</path/to/ca/dir>
	A directory full of CA certificates.  The files must be named with 
	the CA subject name hash value. 
	(see man SSL_CTX_load_verify_locations for more info) 

tlsdontverifyserver=[yes|no]
	If set to yes, don't verify the servers certificate when acting as 
	a client.  If you don't have the server's CA certificate you can
	set this and it will connect without requiring tlscafile to be set.
	Default is no.

tlscipher=<SSL cipher string>
	A string specifying which SSL ciphers to use or not use
	A list of valid SSL cipher strings can be found at: 
		http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS


Sample config
-------------

Here are the relevant bits of config for setting up TLS between 2
asterisk servers.  With server_a registering to server_b

On server_a:

[general]
tlsenable=yes
tlscertfile=/etc/asterisk/asterisk.pem
tlscafile=/etc/ssl/ca.pem  ; This is the CA file used to generate both certificates
register => tls://100:test@192.168.0.100:5061

[101]
type=friend
context=internal
host=192.168.0.100 ; The host should be either IP or hostname and should 
                   ; match the 'common name' field in the servers certificate
secret=test
dtmfmode=rfc2833
disallow=all
allow=ulaw
transport=tls 
port=5061

On server_b:
[general]
tlsenable=yes
tlscertfile=/etc/asterisk/asterisk.pem

[100]
type=friend
context=internal
host=dynamic
secret=test
dtmfmode=rfc2833
disallow=all
allow=ulaw
;You can specify transport= and port=5061 for TLS, but its not necessary in
;the server configuration, any type of SIP transport will work
;transport=tls 
;port=5061
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00			`Asterisk SIP/TLS Transport`
			`==========================`

			`When using TLS the client will typically check the validity of the`
			`certificate chain. So that means you either need a certificate that is`
			`signed by one of the larger CAs, or if you use a self signed certificate`
Small fixes git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99482 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-22 09:46:28 +00:00			`you must install a copy of your CA certificate on the client.`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00
			`So far this code has been test with:`
Small fixes git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99482 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-22 09:46:28 +00:00			`- Asterisk as client and server (TLS and TCP)`
			`- Polycom Soundpoint IP Phones (TLS and TCP)`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00			`Polycom phones require that the host (ip or hostname) that is`
			`configured match the 'common name' in the certificate`
Small fixes git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99482 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-22 09:46:28 +00:00			`- Minisip Softphone (TLS and TCP)`
			`- Cisco IOS Gateways (TCP only)`
			`- SNOM 360 (TLS only)`
			`- Zoiper Biz Softphone (TLS and TCP)`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00

			`sip.conf options`
			`----------------`
			`tlsenable=[yes\|no]`
			`Enable TLS server, default is no`

			`tlsbindaddr=<ip address>`
			`Specify IP address to bind TLS server to, default is 0.0.0.0`

			`tlscertfile=</path/to/certificate>`
Small fixes git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99482 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-22 09:46:28 +00:00			`The server's certificate file. Should include the key and`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00			`certificate. This is mandatory if your going to run a TLS server.`

			`tlscafile=</path/to/certificate>`
			`If the server your connecting to uses a self signed certificate`
			`you should have their certificate installed here so the code can`
			`verify the authenticity of their certificate.`

			`tlscadir=</path/to/ca/dir>`
			`A directory full of CA certificates. The files must be named with`
			`the CA subject name hash value.`
			`(see man SSL_CTX_load_verify_locations for more info)`

			`tlsdontverifyserver=[yes\|no]`
			`If set to yes, don't verify the servers certificate when acting as`
			`a client. If you don't have the server's CA certificate you can`
			`set this and it will connect without requiring tlscafile to be set.`
			`Default is no.`

			`tlscipher=<SSL cipher string>`
			`A string specifying which SSL ciphers to use or not use`
Adding more tls configuration details to sip.conf sample, with a list of valid ciphers provided in both files. .. First commit since July, woot git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@104088 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-02-25 19:00:16 +00:00			`A list of valid SSL cipher strings can be found at:`
			`http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00

			`Sample config`
			`-------------`

			`Here are the relevant bits of config for setting up TLS between 2`
			`asterisk servers. With server_a registering to server_b`

			`On server_a:`
Small fixes git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99482 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-22 09:46:28 +00:00
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00			`[general]`
			`tlsenable=yes`
Fix a typo. Someone on IRC copied this literally and then wondered why it wasn't working. :) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@125988 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-06-27 19:19:08 +00:00			`tlscertfile=/etc/asterisk/asterisk.pem`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00			`tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both certificates`
			`register => tls://100:test@192.168.0.100:5061`

			`[101]`
			`type=friend`
			`context=internal`
			`host=192.168.0.100 ; The host should be either IP or hostname and should`
			`; match the 'common name' field in the servers certificate`
			`secret=test`
			`dtmfmode=rfc2833`
			`disallow=all`
			`allow=ulaw`
			`transport=tls`
			`port=5061`

			`On server_b:`
			`[general]`
			`tlsenable=yes`
Fix a typo. Someone on IRC copied this literally and then wondered why it wasn't working. :) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@125988 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-06-27 19:19:08 +00:00			`tlscertfile=/etc/asterisk/asterisk.pem`
Merge changes from team/group/sip-tcptls This set of changes introduces TCP and TLS support for chan_sip. There are various new options in configs/sip.conf.sample that are used to enable these features. Also, there is a document, doc/siptls.txt that describes some things in more detail. This code was implemented by Brett Bryant and James Golovich. It was reviewed by Joshua Colp and myself. A number of other people participated in the testing of this code, but since it was done outside of the bug tracker, I do not have their names. If you were one of them, thanks a lot for the help! (closes issue #4903, but with completely different code that what exists there.) git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@99085 65c4cc65-6c06-0410-ace0-fbb531ad65f3 2008-01-18 22:04:33 +00:00
			`[100]`
			`type=friend`
			`context=internal`
			`host=dynamic`
			`secret=test`
			`dtmfmode=rfc2833`
			`disallow=all`
			`allow=ulaw`
			`;You can specify transport= and port=5061 for TLS, but its not necessary in`
			`;the server configuration, any type of SIP transport will work`
			`;transport=tls`
			`;port=5061`