[asterisk-commits] jamesgolovich: branch group/sip-tcptls r92241 - /team/group/sip-tcptls/doc/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Mon Dec 10 13:01:30 CST 2007 

Author: jamesgolovich
Date: Mon Dec 10 13:01:30 2007
New Revision: 92241

URL: http://svn.digium.com/view/asterisk?view=rev&rev=92241
Log:
Add some basic TLS documentation


Added:
    team/group/sip-tcptls/doc/siptls.txt   (with props)

Added: team/group/sip-tcptls/doc/siptls.txt
URL: http://svn.digium.com/view/asterisk/team/group/sip-tcptls/doc/siptls.txt?view=auto&rev=92241
==============================================================================
--- team/group/sip-tcptls/doc/siptls.txt (added)
+++ team/group/sip-tcptls/doc/siptls.txt Mon Dec 10 13:01:30 2007
@@ -1,0 +1,88 @@
+Asterisk SIP/TLS Transport
+==========================
+
+When using TLS the client will typically check the validity of the
+certificate chain.  So that means you either need a certificate that is
+signed by one of the larger CAs, or if you use a self signed certificate
+you must install a copy of your CA on the client.
+
+So far this code has been test with:
+Polycom Soundpoint IP Phones (TLS and TCP)
+Minisip Softphone (TLS and TCP)
+Cisco IOS Gateways (TCP only)
+
+sip.conf options
+----------------
+tlsenable=[yes|no]
+	Enable TLS server, default is no
+
+tlsbindaddr=<ip address>
+	Specify IP address to bind TLS server to, default is 0.0.0.0
+
+tlscertfile=</path/to/certificate>
+	The server's certificate file.  Should include the key and 
+	certificate.  This is mandatory if your going to run a TLS server.
+
+tlscafile=</path/to/certificate>
+	If the server your connecting to uses a self signed certificate
+	you should have their certificate installed here so the code can 
+	verify the authenticity of their certificate.
+
+tlscadir=</path/to/ca/dir>
+	A directory full of CA certificates.  The files must be named with 
+	the CA subject name hash value. 
+	(see man SSL_CTX_load_verify_locations for more info) 
+
+tlsdontverifyserver=[yes|no]
+	If set to yes, don't verify the servers certificate when acting as 
+	a client.  If you don't have the server's CA certificate you can
+	set this and it will connect without requiring tlscafile to be set.
+	Default is no.
+
+tlscipher=<SSL cipher string>
+	A string specifying which SSL ciphers to use or not use
+
+
+Sample config
+-------------
+
+Here are the relevant bits of config for setting up TLS between 2
+asterisk servers.  With server_a registering to server_b
+
+On server_a:
+[general]
+tlsenable=yes
+tlscertfgile=/etc/asterisk/asterisk.pem
+tlscafile=/etc/ssl/ca.pem  ; This is the CA file used to generate both certificates
+register => tls://100:test@192.168.0.100:5061
+
+[101]
+type=friend
+context=internal
+host=192.168.0.100 ; The host should be either IP or hostname and should 
+                   ; match the 'common name' field in the servers certificate
+secret=test
+dtmfmode=rfc2833
+disallow=all
+allow=ulaw
+transport=tls 
+port=5061
+
+On server_b:
+[general]
+tlsenable=yes
+tlscertfgile=/etc/asterisk/asterisk.pem
+
+[100]
+type=friend
+context=internal
+host=dynamic
+secret=test
+dtmfmode=rfc2833
+disallow=all
+allow=ulaw
+;You can specify transport= and port=5061 for TLS, but its not necessary in
+;the server configuration, any type of SIP transport will work
+;transport=tls 
+;port=5061
+

Propchange: team/group/sip-tcptls/doc/siptls.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: team/group/sip-tcptls/doc/siptls.txt
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Propchange: team/group/sip-tcptls/doc/siptls.txt
------------------------------------------------------------------------------
    svn:mime-type = text/plain

More information about the asterisk-commits mailing list