Add_workflow_for_techpubs |
---|
AUTH1 | cclemetson |
---|
JIRAIDAUTH | SYM-20206 |
---|
REV5 | cclemetson |
---|
REV6 | cclemetson |
---|
REV3 | john-warren |
---|
REV1 | pravichandran |
---|
|
To create or modify a TLS Profile:
...
Click the CreateTLS Profile ( ) icon at the top of the TLS Profile page.
Panel |
---|
|
Caption |
---|
0 | Figure |
---|
1 | Create TLS Profile |
---|
| Image RemovedImage Added |
|
...
Panel |
---|
bgColor | #FAFAFA |
---|
borderStyle | none |
---|
|
Specifies the TLS version. The Protocol. Valid entries: TLS 1.0 Only, TLS 1.2 Only, or TLS 1.0 - 1.2. Once the TLS is option is selected, the Client Cipher List is automatically updated to display only the ciphers supported for the selected TLS version. Note |
---|
The TLS version you choose for SBC TLS Profile must match the TLS version configured in the SBA security for the associated SIP Server. For TLS Profile in SBC... | Select the TLS below in SBA Security Template |
---|
TLS 1. |
|
|
...
0 Only | TLS 1.0-1.2 | TLS 1.2 Only
| TLS 1.2 only or TLS 1.0-1.2 | TLS 1.0 - 1.2 | TLS 1.0-1.2 |
|
|
Mutual Authentication
Panel |
---|
bgColor | #FAFAFA |
---|
borderStyle | none |
---|
|
Enables the Mutual authentication request and verifications of the SIP peer client certificate. Note |
---|
This setting is part of the standard level of Mutual TLS security. Mutual Authentication includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA |
When enabled, this option allows the use of a weak (older) cipher, and an additional (weak) cipher is added to the end of the client cipher list. SBC as the TLS server: When the SBC acts as the server it allows older clients to authenticate using older TLS ciphers.SBC as the TLS client: When the SBC acts as a client in the call, an the additional cipher added to the end of the list is offered to the server when negotiating the cipher. The ordered list of ciphers is presented to the server end with the preferred (by the SBC) cipher at the top |
Handshake Inactivity Timeout
...
Panel |
---|
bgColor | #FAFAFA |
---|
borderStyle | none |
---|
|
The Validate Server FQDN is an enhanced security feature of the , which is disabled if the common name in the certificate is an IP address ( a practice observed by some ITSP's). This field is only visible when Validate Peer Server Certificate is enabled and Mutual Authentication is disabled.Validate Server FQDN (enabled) option allows the to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against the host that is configured in the SIP Server table of (protocol must be TLS and the Host must be in the form of FQDN). Note |
---|
- does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).
- Make sure this parameter is set to Disabled if the peer server is using an IP address.
|
|
Mutual Authentication
...
bgColor | #FAFAFA |
---|
borderStyle | none |
---|
Enables the Mutual authentication request and verifications of the SIP peer client certificate.
...
Validate Client FQDN
Panel |
---|
bgColor | #FAFAFA |
---|
borderStyle | none |
---|
|
Specifies the reverse DNS lookup of a peer's FQDN. Used to verify the identity of the SIP peer client certificate. This action takes place when both, MTLS and "Validate Client FQDN" are enabled. If MTLS is disabled, the "Validate Client FQDN" is also disabled. "Validate Client FQDN" is an enhanced security feature of , which could be disabled if the common name in the certificate is an IP address (some ITSP's do that). "Validate Client FQDN" Enabled option allows to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against a reverse DNS lookup of the IP address to an FQDN. Note |
---|
does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN). |
|