The SBC Core supports the exchange of SIP signaling over Transport Layer Security (TLS), an IETF protocol for securing communications across an untrusted network. Normally, SIP packets travel in plain text over TCP or UDP connections. Secure SIP is a security measure that uses TLS, the successor to Secure Sockets Layer (SSL) protocol. TLS operates just above the transport layer (Layer 4) and provides peer authentication, confidentiality and message integrity.
SIP over TLS is configurable independently on each hop between SIP devices. SIP transport type selection is typically configured through IP Signaling Profile. It may also be provisioned on SIP Trunk group or identified through DNS lookup.
If the SBC receives an INVITE message and is unable to establish a TLS connection with its peer that is the next hop for the INVITE, the SBC replies to the INVITE message with a 408 (Request Timeout) response with a Warning header, warn-code 399 (Miscellaneous warning), and a warning text “TLS connection failure”. This is configurable using the IP Signaling Profile ingress flag sendTLSConnectionFailureResponse
The SBC supports a system-wide unified facility for installing X.509v3 digital certificates into the system, for use in authenticating the system and its peers for https management, SIP over TLS, etc. For more information on the TLS usage scenarios, refer to TLS for Signaling.
If a zone's sipSigPort
is configured for transportProtocolsAllowed
= sip-tls-tcp
, the SBC increments the configured portNumber
by 1 and uses it as the new port number for SIP over TLS signaling. The SBC then opens a TCP socket for SIP over TLS for the new TCP port number.
Example: When sipSigPort
is configured with a portNumber
of 5060 and transportProtocolsAllowed
= sip-tls-tcp
, the SBC listens on TCP port 5061 for SIP over TLS.
For configuration details, refer to: