...
Secure SIP is a security measure that uses TLS, the successor to the Secure Sockets Layer (SSL) protocol. To add a TLS protection-level policy, you create a TLS Profile (tlsProfile) and configure each of the parameters. The tlsProfile is associated with a sipSignalingPort. The settings within the defaulttlsProfile may be modified. Also, the supported transport protocols must be set to allow SIP over TLS.
| Include Page |
|---|
TLS_version | TLS_version | | Include Page |
|---|
|
|
Command Syntax
...
| Caption |
|---|
| 0 | Table |
|---|
| 1 | TLS Profile Parameters |
|---|
|
Parameter | Length/Range | Description |
|---|
tlsProfileName
| 1-23 | Name assigned to this Transport Layer Security (TLS) profile. | acceptableCertValidationErrors | N/A | Use this parameter to specify if certificate chain validation errors are acceptable while validating the peer certificate. invalidPurpose none (default)
| allowedRoles
| N/A | Allowed TLS roles for this TLS profile. clientandserver – (default) Choose to select both a TLS client and server role, depending on the request direction. This is primarily for peering applications.server – The will only be a TLS server. This is primarily for access applications.
| appAuthTimer
| 1-60 | The higher layer authentication timer in seconds. (default = 5). | authClient
| N/A | Indicates whether or not a TLS client is forced to authenticate itself within TLS. If set to false, the client is not required to authenticate itself at the TLS layer, but must complete authentication within a higher-level protocol after the TLS connection is established (that is, SIP registration). | cipherSuite1
| N/A | Use this parameter to specify the first TLS Cipher Suite choice for this profile. See Table 2 Supported Cipher Suites table below for the list of cipher suites. | cipherSuite2
| N/A | Use this optional parameter to specify the second TLS Cipher Suite choice for this profile. See Table 2 Supported Cipher Suites table below for the list of cipher suites. | cipherSuite3
| N/A | Use this optional parameter to specify the third TLS Cipher Suite choice for this profile. See Table 2 Supported Cipher Suites table below for the list of cipher suites. | clientCertName
| 1-23 | The name of the default Client Certificate to be used by this TLS profile, created using the SECURITY PKI configuration object. | handshakeTimer
| 1-60 | The time (in seconds) in which the TLS handshake must be completed. The timer starts when the TCP connection is established. (default = 5) | ocspProfileName | 1-23 | Name of OCSP profile object referenced by TLS profile. | serverCertName
| 1-23 | Specifies the name of the Server Certificate to be used by this TLS profile, created using the SECURITY PKI configuration object. | sessionResumpTimer
| 0-86400 | The TLS session resumption period (in seconds) for which cached sessions are retained. TLS allows successive connections to be created within one TLS session (and the resumption of a session after a TLS connection is closed or after a server card failover) without repeating the entire authentication and other setup steps for each connection, except when the space must be reclaimed for a new session. (default = 3600) | suppressEmptyFragments | N/A | Enable flag to prevent the SBC from inserting empty fragments when sending packets on TLS over TCP connection in support of older versions of TLS implementation. disabled (default)
enabled
| v1_0 | N/A | TLS protocol version 1.0 (see note below) disabled enabled (default)
| v1_1 | N/A | TLS protocol version 1.1 (see note below) disabled (default)
enabled
| v1_2 | N/A | TLS protocol version 1.2 (see note below) disabled (default)
enabled
|
|
| Excerpt Include |
|---|
| TLS for Signaling |
|---|
| TLS for Signaling |
|---|
| nopanel | true |
|---|
|
...