Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
CSS Stylesheet
img.confluence-embedded-image { display: inline-block !important; }

Add_workflow_for_techpubs
AUTH2UserResourceIdentifier{userKey=8a00a0c862eadf5e0163170affe7001b, userName='null'}
AUTH1UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
JIRAIDAUTHCHOR-5789
REV5UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a0c86a61778d016a7d0876df0017, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cef30cd0, userName='null'}

...

  1. Click the Create TLS Profile ( ) icon at the top of the TLS Profile page.

    Caption0

    Figure1

    Create TLS - SBC SWe Edge and SBC 1000/2000

    Image Removed

    Caption0Figure1

    Create TLS Profile - Cloud Native SBC SWe Edge

    Image Modified



    Anchor
    properties
    properties

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the SIP TLS client and server handshake inactivity timeout interval.

The Inactivity Timeout terminates the TLS session if there have been no handshakes in the specified period of time.
The handshake inactivity timeout should be adjusted to 30 seconds if there are network delays and/or timeouts.

Client Cipher List

Available_since
Release11.0.1



Panel
bgColor#FAFAFA
borderStylenone

Specifies the cipher suite parameter exchanged and negotiated in the SIP TLS client handshake message. The list is automatically populated with the ciphers supported for the selected TLS Protocol.For

Spacevars
0series3
 and SBC 1000/2000: 

The 

Spacevars
0product
supports the following TLS cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES256_CBC_SHA
  • TLS_RSA_WITH_AES128_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
Note
titleLync Cipher Incompatability

 The TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is incompatible with Lync servers.

For

Spacevars
0series5
:

The 

Spacevars
0series5
supports the following TLS cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES256_CBC_SHA
  • TLS_RSA_WITH_AES128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
Only 3 ciphers are allowed per profile in the
Spacevars
0series5
cluster

.


Verify Peer Server Certificate

Specifies whether or not to verify the identity of a peer server. Available when Mutual Authentication is disabled.

Panel
bgColor#FAFAFA
borderStylenone

Include Page
Not_Applicable_to_CloudNativeNot_Applicable_to_CloudNative
Note

This setting is part of the standard level of Mutual TLS security. Verify Peer Server Certificate implies that Mutual Authentication is enabled first. Verify Peer Server Certificate includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.


...

Not_Applicable_to_CloudNativeThe Validate Server FQDN is an enhanced security feature of the
Panel
bgColor#FAFAFA
borderStylenone
Include Page

Not_Applicable_to_CloudNative
Spacevars
0product
, which is disabled if the common name in the certificate is an IP address ( a practice observed by some ITSP's). This field is only visible when Mutual Authentication is disabled and Validate Peer Server Certificate.

Validate Server FQDN (enabled) option allows the 

Spacevars
0product
to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against the host that is configured in the SIP Server table of 
Spacevars
0product
(protocol must be TLS and the Host must be in the form of FQDN).

Note
  • Spacevars
    0product
     does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).
  • Make sure this parameter is set to Disabled if the peer server is using an IP address.


...

includeSpecifies the reverse DNS lookup of a peer's FQDN. Used to verify the identity of the SIP peer client certificate.

This action takes place when both, Mutual Authentication and Validate Client FQDN are enabled. If Mutual Authentication is disabled, the Validate Client FQDN is also disabled. Validate Client FQDN is an enhanced security feature of

Panel
bgColor#FAFAFA
borderStylenone

Not_Applicable_to_CloudNativeNot_Applicable_to_CloudNative
Spacevars
0product
, which could be disabled if the common name in the certificate is an IP address (some ITSP's do that). When the Validate Client FQDN is enabled, this option allows 
Spacevars
0product
to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against a reverse DNS lookup of the IP address to an FQDN.

Note

Spacevars
0product
 does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).


...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the certificate (primary or supplementary) that is in use and that the 

Spacevars
0product2
sends to the endpoint that initiates the TLS handshake process. The server attributes of the TLS profile associate with the SIP SG Listener Port entries configured for the TLS protocol. The default is the primary certificate.

...