Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

If both proxies have enabled TLS and clients let you add the sips: "prefix" you don't need to add special routing logic to cfg. Even if client itself does'n use TLS it can work (EyeBeam - TCP > OB SER --TLS >SER ?? - > client)
Remember that TLS is done only on hop by hop basis.
To be sure or to define tls peers you need to do following:

Note
Encryption only, no mutual authentication
Encryption only, no mutual authentication

If encryption of the SIP messages is enough for you and no mutual verification of the servers is necessary, you can change:
tls_verify_server = 0

OpenSER proxy configuration:

...

No Format
        # check for requests targeted out of our domain
        if (!uri==myself) {
                # mark routing logic in request
                append_hf("P-hint: outbound\r\n");
                # destination DomainA
                if(uri=~"@domainA.net") {
                        t_relay("tls:sipserver.domainA.net:5061");
                        xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru  FROM:%fu TO:%tu \n buffer %mb \n flags \n %mf \n");
                        exit;
                }
                route(1);
        };

...

Validation, confirmation tests

  • register a UA at the proxy of domainA
  • register a UA at the proxy of domainB
  • make a call from UA 'A' to UA 'B' and see if it succeeds
  • check in the UA and proxy logging whether TLS was used (and there was no fallback to UDP)

OS specific help

Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.