Asterisk SIP/TLS Transport
When using TLS the client will typically check the validity of the certificate chain. So that means you either need a certificate that is signed by one of the larger CAs, or if you use a self signed certificate you must install a copy of your CA certificate on the client.
So far this code has been tested with:
- Asterisk as client and server (TLS and TCP)
- Polycom Soundpoint IP Phones (TLS and TCP) - Polycom phones require that the host (ip or hostname) that is configured match the 'common name' in the certificate
- Minisip Softphone (TLS and TCP)
- Cisco IOS Gateways (TCP only)
- SNOM 360 (TLS only)
- Zoiper Biz Softphone (TLS and TCP)
sip.conf options
tlsenable=yes- Enable TLS server, default isnotlsbindaddr=<ip address>- Specify IP address to bind TLS server to, default is0.0.0.0tlscertfile=</path/to/certificate>- The server's certificate file. Should include the key and certificate. This is mandatory if you're going to run a TLS server.tlscafile=</path/to/certificate>- If the server you're connecting to uses a self signed certificate you should have their certificate installed here so the code can verify the authenticity of their certificate.tlscapath=</path/to/ca/dir>- A directory full of CA certificates. The files must be named with the CA subject name hash value. (seeman SSL_CTX_load_verify_locationsfor more info)tlsdontverifyserver=yes- If set toyes, don't verify the servers certificate when acting as a client. If you don't have the server's CA certificate you can set this and it will connect without requiringtlscafileto be set. Default isno.tlscipher=<SSL cipher string>- A string specifying which SSL ciphers to use or not use. A list of valid SSL cipher strings can be found at http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
Sample config
Here are the relevant bits of config for setting up TLS between 2 Asterisk servers. With server_a registering to server_b
On server_a:
On server_b: