[Freeswitch-users] SIPS & SRTP questions

[Bzzz]

On Wed, 14 Mar 2012 08:24:39 -0700
Mitch Capper <mitch.capper at gmail.com> wrote:

Hi Mitch,
>
> and internal clients without an issue.   While you can certainly issue
> certificates for each client (Infact its encouraged!) see
> http://wiki.freeswitch.org/wiki/SIP_TLS#Step_4_Client_Configuration

Oops, I sent my email before reaching this text.

> for generating individual client certs easily (although make sure you
> are running HEAD),  there may be an issue with revocation.   I am not
> sure if revocation is currently enabled(or supported) in the libsofia
> stack.  Test it and see, I would bet it isn't.  As for getting it
> enabled first would be to verify its supported by libsofia first,
> checking the documentation at http://sofia-sip.sourceforge.net/
> specifically http://sofia-sip.sourceforge.net/refdocs/tport/tport__tag_8h.html

Thanks for this links; unfortunately I didn't find any primitive
nor comment that address this issue, and a: grep -Ri revo * 
in the source tree didn't returned any results.

This is weird as it force to re-generate another couple crt/key
and distribute it to non-revoked users :(

> 
> As for forcing SSLv23 and SRTP thats pretty straightforward:
> http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files#TLS

Thank for the link.

> documents the sofia options including:
> tls-only which will prevent sofia from even listening for un-encrypted
> connections. Settings tls-version to the sslv23 takes care of what
> version to use, the final is just how to ensure all calls are
> encrypted.   As your clients can only connect encrypted with tls-only
> it takes care of ensuring the signalling channel is encrypted,

> to
> ensure SRTP just add sip_secure_media=true to the channel vars.

That's exactly what I need:)

JY
--