...
If both proxies have enabled TLS and clients let you add the sips: "prefix" you don't need to add special routing logic to cfg. Even if client itself does'n use TLS it can work (EyeBeam - TCP – > OB SER --– TLS – >SER – ?? - > client)
Remember that TLS is done only on hop by hop basis.
To be sure or to define tls peers you need to do following:
| Note | ||||
|---|---|---|---|---|
| ||||
If encryption of the SIP messages is enough for you and no mutual verification of the servers is necessary, you can change: |
OpenSER proxy configuration:
...
| No Format |
|---|
# check for requests targeted out of our domain
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
# destination DomainA
if(uri=~"@domainA.net") {
t_relay("tls:sipserver.domainA.net:5061");
xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n");
exit;
}
route(1);
};
|
...
| No Format |
|---|
if (uri=~"^sip:.*@sipx1.ces.net@domianB"){
if (t_relay_to_tls("sipx1.ces.netdomainB","5061")) {
xlog("L_INFO","TLS Message to sipx1.ces.net\n ");
}
else {sl_reply_error();}
break;
}
|
This wiil will apply only to sip uri and sips will be routed by internal rules (default t_relay (and DNS SRV _sips._tcp or DNS A with port 5061, ....)
Validation, confirmation tests
- register a UA at the proxy of domainA
- register a UA at the proxy of domainB
- make a call from UA 'A' to UA 'B' and see if it succeeds
- check in the UA and proxy logging whether TLS was used (and there was no fallback to UDP)
OS specific help
Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.