[Freeswitch-users] SIPS & SRTP questions

Mitch Capper mitch.capper at gmail.com
Wed Mar 14 18:24:39 MSK 2012


Hello Jean-Yves,
well common-name matching is not required by all sip clients but may
be by some of yours.  Yes you would want to set this set as the cn
name.   Assuming your FS box is run  on your adsl box (or the
important ports are forwarded to your FS box) you shouldn't run into
an issue as you already handle the natted client problem by faking the
dns entry for your cn name.  FS should be able to handle both external
and internal clients without an issue.   While you can certainly issue
certificates for each client (Infact its encouraged!) see
http://wiki.freeswitch.org/wiki/SIP_TLS#Step_4_Client_Configuration
for generating individual client certs easily (although make sure you
are running HEAD),  there may be an issue with revocation.   I am not
sure if revocation is currently enabled(or supported) in the libsofia
stack.  Test it and see, I would bet it isn't.  As for getting it
enabled first would be to verify its supported by libsofia first,
checking the documentation at http://sofia-sip.sourceforge.net/
specifically http://sofia-sip.sourceforge.net/refdocs/tport/tport__tag_8h.html
may be a good place to start.  If it supports revocation but we don't
expose it then it may be an easy change, if it doesn't its going to be
a bit more of an uphill battle as you will have to patch it and our
sofia to add the option for revocation checks.   If you post back with
your results I may be willing to help with the work to add this
additional security feature (assuming it doesn't already work).

Normally I would guess that you would actually have everyone
connecting on 5061 (or whatever your tls port is) that are authed
users.  5060 is meant for users who auth against the server vs 5080
being more of the public /outbound side of the server is somewhat of
how I have always looked at it.

As for forcing SSLv23 and SRTP thats pretty straightforward:
http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files#TLS
documents the sofia options including:
tls-only which will prevent sofia from even listening for un-encrypted
connections. Settings tls-version to the sslv23 takes care of what
version to use, the final is just how to ensure all calls are
encrypted.   As your clients can only connect encrypted with tls-only
it takes care of ensuring the signalling channel is encrypted, to
ensure SRTP just add sip_secure_media=true to the channel vars.

~Mitch



Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list