In this section:

Related articles:

 

Use DTLS Profile to configure various DTLS parameters attached to a SIP trunk group in support of WebRTC functionality.

Command Syntax

% set profiles security dtlsProfile <profile name> 
	CertName <cert name>
	cipherSuite1 <cipher suite> 
	cipherSuite2 <cipher suite> 
	cipherSuite3 <cipher suite>
	cookieExchange <disabled | enabled>
	dtlsRole <client | server>
	handshakeTimer <1-60 seconds> 
	hashType <md2 | md5 | sha1 | sha224 | sha256 | sha384 | sha512>
	sessionResumpTimer <0-86400>
	v1_0 <disabled | enabled>
    v1_1 <disabled | enabled>
    v1_2 <disabled | enabled>

 

Command Parameters

The DTLS Profile Parameters are as shown below:

DTLS Profile Parameters

Parameter

Length/Range

Description

dtlsProfile1-23<profile name> – Name of DTLS profile.

CertName

1-23

<profile name> – Name of the Certificate used by this DTLS profile (default = defaultDtlsSBCCert).

cipherSuite1

N/A

Use this parameter to specify the first TLS Cipher Suite choice for this profile (default = rsa-with-aes-128-cbc-sha).

See the table Supported DTLS Crypto Suites below for the list of cipher suites.

cipherSuite2

N/A

Use this optional parameter to specify the second TLS Cipher Suite choice for this profile (default = nosuite).

See the table Supported DTLS Crypto Suites below for the list of cipher suites.

 

cipherSuite3

N/A

Use this optional parameter to specify the third TLS Cipher Suite choice for this profile (default = nosuite).

See the table Supported DTLS Crypto Suites below for the list of cipher suites.

cookieExchangeN/A

Use this flag to enable Cookie Exchange mechanism.

  • disabled
  • enabled (default)
dtlsRoleN/A

Specify DTLS role to use for this DTLS Profile.

  • client
  • server (default)

handshakeTimer

1-60

The time (in seconds) in which the DTLS handshake must be completed. The timer starts when the TCP connection is established. (default = 5)

hashTypeN/A

The allowed DTLS hash function for the specified DTLS Profile (default = sha1)

md2 | md5 | sha1 | sha224 | sha256 | sha384 | sha512

sessionResumpTimer

0-86400

The DTLS session resumption period (in seconds) for which cached sessions are retained. DTLS protocol allows successive connections to be created within one DTLS session (and the resumption of a session after a DTLS connection is closed or after a server card failover) without repeating the entire authentication and other setup steps for each connection, except when the space must be reclaimed for a new session. (default = 300)

v1_0N/A

DTLS protocol version 1.0 (see note below)

  • disabled
  • enabled (default)
v1_1N/A

DTLS protocol version 1.1 (see note below)

  • disabled  (default)
  • enabled
v1_2N/A

DTLS protocol version 1.2 (see note below)

  • disabled (default)
  • enabled

 

Supported DTLS Crypto Suites

Authentication Mechanism

Public/Private Key Pair

Confidentiality Cipher and Mode

Integrity Cipher

RSA-WITH-NULL-SHA

The integrity cipher used for the TLS Record protocol. 

RSANULLSHA-1

RSA-WITH-AES-128-CBC-SHA (default)

Confidentiality cipher and mode for the TLS Record protocol.

RSA

AES-128-CBC

SHA-1

RSA-WITH-AES-128-CBC-SHA-256

Confidentiality cipher and mode for the TLS Record protocol with SHA-256 as the hash function.

RSAAES-128-CBCSHA-256

RSA-WITH-AES-256-CBC-SHA

Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption.  

RSA

AES-256-CBC

SHA-1

RSA-WITH-AES-256-CBC-SHA-256*

Confidentiality cipher and mode for the TLS Record protocol with AES 256 encryption and SHA-256 as the hash function.

RSA

AES-256-CBC

SHA-256

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384**

Confidentiality cipher and mode for the TLS Record with AES256 CBC and SHA384 as the hash function.

ECDH-ECDSA

AES-256-CBC

SHA-384

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384**

Confidentiality cipher and mode for the TLS Record with AES256 GCM and SHA384 as the hash function.

ECDH-ECDSAAES-256-GCMSHA-384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 CBC and SHA as the hash function.

ECDHE-RSAAES-128-CBCSHA-1

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA-384*

Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 CBC and SHA384 as the hash function.

ECDHE-RSAAES-256-CBCSHA-384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES128 GCM and SHA as the hash function.

ECDHE-RSAAES-128-GCMSHA-256

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA-384*

Confidentiality cipher and mode for the TLS Record protocol using ECDHE (Elliptic Curve Diffie-Hellman key Exchange) with AES256 GCM and SHA384 as the hash function.

ECDHE-RSAAES-256-GCMSHA-384

TLS_RSA_WITH_AES_128_GCM_SHA256

Confidentiality cipher and mode for the TLS Record protocol with AES 128 GCM encryption and SHA-256 as the hash function.

RSAAES_128_GCMSHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

Confidentiality cipher and mode for the TLS Record protocol with AES 256 GCM encryption and SHA-384 as the hash function.

RSAAES_256_GCMSHA384

*  To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.

**  To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.

Terms used in this table:

RSA – Authentication based on X.509 certificates using RSA public/private key pairs
AES-128 – Advanced Encryption Standard (128-bit key length)
CBC – Cipher Block Chaining
SHA – Secure Hash algorithm

Note

When FIPS-140-2 mode is enabled, do not use the rsa-with-null-sha option.


Note

The SBC releases that are officially FIPS-compliant are releases 5.1, 6.2, and 7.2.

Command Examples

% show profiles security dtlsProfile defaultDtlsProfile
handshakeTimer     5;
sessionResumpTimer 300;
cipherSuite1       rsa-with-aes-128-cbc-sha;
dtlsRole           server;
hashType           sha1;
CertName           defaultDtlsSBCCert;
cookieExchange     enabled;
v1_0               enabled;
v1_1               disabled;
v1_2               disabled; 

  • No labels