TLS Definition
From Wikipedia:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term “TLS” as used here applies to both protocols unless clarified by context.
The TLS protocol(s) allow applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating. The next level of security — in which both ends of the “conversation” are sure with whom they are communicating — is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients. TLS involves three basic phases:
1. Peer negotiation for algorithm support
2. Public key encryption key-based exchange and certificate-based authentication
3. Symmetric cipher traffic-based encryption
Posted: July 7th, 2009
at 7:02am by admin
Tagged with Definitions, SSL, TLS
Categories: Definitions, TLS
Comments: No comments
Configuring TLS on EyeBeam 1.5 and OpenSER Proxy
Hello to all my loyal visitors! The following is a documentation guide I wrote on how to configure EyeBeam 1.5 and the OpenSER SIP Proxy to make encrypted TLS SIP calls on a Debian linux box. More information can be found after the jump. I wrote this page after searching the web for 2 weeks on trying to find a tutorial that worked for me. I must have sent 100 emails to the CounterPath support team before I finally figured it out. They were very helpful, and here is what I’ve learned!
========================================================
Step 1: Download and install OpenSER
========================================================
This can be done very easily with SVN. By the time you read this article, new versions may have already been released. You can check here. This article describes the configurating and installation of OpenSer 1.2Use the following command line-
>svn co https://openser.svn.sourceforge.net/svnroot/openser/branches/1.2 openser
After you have downloaded , you need to build it with TLS enabled. This is not (despite their documentation) installed by default. To build with TLS enabled you must edit the Makefile. Use your favorite editor to open it and navigate to line 34. Uncomment the TLS line and then run the following command
>build all
After you have installed , you can check if you have done it correctly running the following command.
> openser –V
You should receive a printout as follows:
version: openser 1.2.1-tls (i386/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, sigio_rt, select.
svnrevision: 2:2363M
@(#) $Id: main.c 2304 2007-05-25 16:36:07Z bogdan_iancu $
main.c compiled on 11:19:17 Jun 15 2007 with gcc 3.3.5
The important part to look for is the first line which has the –tls showing that we have successfully built and installed OpenSer with TLS.
========================================================
Step 2: Building Certificates
========================================================
TLS provides for strong authentication mechanism, as well as encryption following authentication.
Verification is the process by which the authentication data provided by the peers is checked. This data consists usually of a peer certificate, plus a chain of trusted certification authorities. If for whatever reason, either of the peers thinks that the handshake is not valid, the SSL connection is not established.
This paragraph describes how to generate all the needed keys and certificates for establishing TLS connection with SER. The described TLS setup is based on the assumption that we run our own certificate authority (CA) and we want to connect via TLS several OpenSER servers (SIP domain).
The first step to creating certificates is coming up with a config file for OpenSSL. I have attached the one I used to create my certificates to this document. I will highlight the important parts here.
[ root_ca_distinguished_name ]
commonName = 192.168.1.41
countryName = US
stateOrProvinceName = Washington
localityName = Seattle
0.organizationName = techtraces.com
emailAddress = address@domain.com
subjectAltName = URI:sip:dudu@192.168.1.41
The essential part to this certificate creation is that the commonName field has to match the Domain field in the SIP account settings described later. I suggest naming your config file openssl.cnf for less confusion.
Now to create your Root CA
Create a user directory:
#mkdir user
Genrate your key’s
#openssl req -config openssl.cnf -out user/user-cert_req.pem -keyout user/user-privkey.pem -new -nodes
Go to the user map:
#cd user
Get the contents of your newly created user-cert_req.pem
#more user-cert_req.pem
#touch user-cert.pem
Open the file with your favorite editor and paste the server certificate contents. Save and exit. If you are not using xterm, create the file in a safe place and use scp to copy it to your server.
Next create a ca-list.
#touch user-calist.pem
#cat user-cert.pem >> user-calist.pem
========================================================
Step 3: Configuring OpenSER
========================================================
The default location of the OpenSER config file is:
>/usr/local/etc/openser/openser.cfg
Here is the configuration that I ended up with. I am not saying it is the greatest and most optimum, but it is what worked for me. The IP of the test machine I used was 192.168.1.41 . I did not need to change any module parameters.
# ———– global configuration parameters ————————
debug=9 # debug level (cmd line: -dddddddddd)
children=4
# Uncomment these lines to enter debugging mode
fork=yes
log_stderror=yes
#
listen=192.168.1.41
#port=5060
# uncomment the following lines for TLS support
disable_tls = 0
listen = tls:192.168.1.41:5061
tls_verify_server = 1
tls_verify_client = 0
tls_require_client_certificate = 0
tls_method = SSLv23
tls_certificate = “/root/Desktop/certs/user-cert_req.cert”
tls_private_key = “/root/Desktop/certs/user/user-privkey.pem”
tls_ca_list = “/root/Desktop/certs/user-calist.pem”
========================================================
Step 4: Running OpenSer
========================================================
To run OpenSer in the backround:
>/etc/init.d/openser start
It can also be run in the foreground (helpful for debugging):
>openser
========================================================
Step 5: EyeBeam SIP Account Settings
========================================================
This would seem to be the easiest part of the entire setup but it is not exactly as straight forward as you’d think. First you need to navigate to the SIP Account Settings on the Eyebeam phone, and create a new account. We used the default name Account1.The first tab you need to edit is the Accounts tab.
Some important things to notice in this screenshot are that password and auth username are not necessary in our setup, and the domain must be the IP AND Common name used in creating your certificate creation earlier. Also another thing that will cause TLS to fail is if you do not provide the correct port in the Domain Proxy. It does not automatically try 5061. If you do this incorrectly there will be all sorts of alerts/certificate name mismatches/decrypt errors with your TLS handshake. I am going to attach screen shots of the GUI and a trace of a successful handshake to this document also.
After you have entered the account information you need to select the security tab. Make the following connections to ensure that the phone registers correctly with OpenSer.These are all attached.
Thanks, hope you enjoyed my instructions. I have attached all my certificates I created, all my config files, and even screenshots of the GUI. Please ask any questions on this page and I will respond to help you get yours working as well!