You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 5
Next »
To create or modify a TLS Profile:
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Security > TLS Profiles.
Modifying a TLS Profile
- Click the expand () Icon next to the entry you wish to modify.
- Edit the entry properties as required, see details below.
Creating a TLS Profile
Click the CreateTLS Profile ( ) icon at the top of the TLS Profile page.
TLS Profile - Field Definitions
TLS Protocol
Specifies the TLS version. The Client Cipher List is automatically updated to display only the ciphers supported for the selected TLS version.
Allow Weak Cipher
When enabled, this option allows the use of a weak (older) cipher, and an additional (weak) cipher is added to the end of the client cipher list.
- SBC as the TLS server: When the SBC acts as the server it allows older clients to authenticate using older TLS ciphers.
- SBC as the TLS client: When the SBC acts as a client in the call, an the additional cipher added to the end of the list is offered to the server when negotiating the cipher. The ordered list of ciphers is presented to the server end with the preferred (by the SBC) cipher at the top.
Handshake Inactivity Timeout
Specifies the SIP TLS client and server handshake inactivity timeout interval.
The Inactivity Timeout terminates the TLS session if there have been no handshakes in the specified period of time.
The handshake inactivity timeout should be adjusted to 30 seconds if there are network delays and/or timeouts.
Verify Peer Server Certificate
Specifies whether or not to verify the identity of a peer server. Available when Mutual Authentication is disabled.
This setting is part of the standard level of Mutual TLS security. Verify Peer Server Certificate implies that Mutual Authentication is enabled first. Verify Peer Server Certificate includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.
Client Cipher
Specifies the cipher suite parameter exchanged and negotiated in the SIP TLS client handshake message. The list is automatically populated with the ciphers supported for the selected TLS Protocol.
The
Unable to show "metadata-from": No such page "_space_variables"
supports the following TLS cipher suites:
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES256_CBC_SHA
- TLS_RSA_WITH_AES128_CBC_SHA
- TLS_RSA_WITH_DES_CBC_SHA
Lync Cipher Incompatability
The TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is incompatible with Lync servers.
Validate Server FQDN
The Validate Server FQDN is an enhanced security feature of the
Unable to show "metadata-from": No such page "_space_variables"
, which is disabled if the common name in the certificate is an IP address ( a practice observed by some ITSP's). This field is only visible when
Validate Peer Server Certificate is enabled and
Mutual Authentication is disabled.
Validate Server FQDN (enabled) option allows the
Unable to show "metadata-from": No such page "_space_variables"
to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against the host that is configured in the SIP Server table of
Unable to show "metadata-from": No such page "_space_variables"
(protocol must be TLS and the Host must be in the form of FQDN).
Mutual Authentication
Enables the Mutual authentication request and verifications of the SIP peer client certificate.
This setting is part of the standard level of Mutual TLS security. Mutual Authentication includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.
Validate Client FQDN
Specifies the reverse DNS lookup of a peer's FQDN. Used to verify the identity of the SIP peer client certificate.
This action takes place when both, MTLS and "Validate Client FQDN" are enabled. If MTLS is disabled, the "Validate Client FQDN" is also disabled. "Validate Client FQDN" is an enhanced security feature of
Unable to show "metadata-from": No such page "_space_variables"
, which could be disabled if the common name in the certificate is an IP address (some ITSP's do that). "Validate Client FQDN" Enabled option allows
Unable to show "metadata-from": No such page "_space_variables"
to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against a reverse DNS lookup of the IP address to an FQDN.
Unable to show "metadata-from": No such page "_space_variables"
does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).