TLS module

Peter Griffiths

unknown

Klaus Darilion

enum.at

Edited by

Klaus Darilion

Edited by

Bogdan-Andrei Iancu

Edited by

Cesc Santasusana

Edited by

Klaus Darilion

Edited by

Christian Lahme

Edited by

Ionut-Razvan Ionita


Table of Contents

1. Admin Guide
1.1. Overview
1.2. History
1.3. Scenario
1.4. Dependencies
1.4.1. OpenSIPS Modules
1.4.2. Dependencies of external libraries
1.5. OpenSIPS Exported parameters
1.5.1. listen=interface
1.5.2. tls_port (integer)
1.5.3. tls_crlf_pingpong (integer)
1.5.4. tls_crlf_drop (integer)
1.5.5. tls_max_msg_chunks (integer)
2. Frequently Asked Questions

List of Examples

1.1. Set listen variable
1.2. Set tls_port variable
1.3. Set tls_crlf_pingpong parameter
1.4. Set tls_crlf_drop parameter
1.5. Set tls_max_msg_chunks parameter

Chapter 1. Admin Guide

1.1. Overview

TLS, as defined in SIP RFC 3261, is a mandatory feature for proxies and can be used to secure the SIP signalling on a hop-by-hop basis (not end-to-end). TLS works on top of TCP. DTLS, or TLS over UDP is already defined by IETF and may become available in the future.

1.2. History

The TLS support was originally developed by Peter Griffiths and posted as a patch on SER development mailing list. Thanks to Cesc Santasusana, several problems were fixed and some improvements were added.

The TLS support was simultaneously added in both projects. In SER, the support was committed in a separate experimental CVS tree, as patch to the main CVS tree. In OpenSIPS, the support was integrated directly into the CVS tree, as a built-in component, and is part of stable OpenSIPS since release >=1.0.0.

Starting with OpenSIPS 2.1, the TLS has been moved to a separate transport module, that implements the more generic Transport Interface.

1.3. Scenario

By the increased number of providers the SIP world is continuously growing. More users means more calls and more calls means a high probability for a user to receive calls from totally unknown people or, in the worst case, to receive unwanted calls. To prevent this, a defense mechanism must be adopted by the SIP provider. Since only the called user is fully able to classify a call as being unwanted, the SIP server, based on all information regarding the call should notify the user about the desirability of the call. Information like the caller domain, the received source or the incoming protocol can be very useful for a SIP server to establish the nature of the call.

As this information is quite limited, is very improbable for a server to be able detect the unwanted calls - there are many calls that it cannot predict anything about its status (neutral calls). So, instead on alerting the called user about unwanted calls, the server can notify the user about calls that are considered trusted - calls for which the server is 100% sure there are not unwanted.

So, a trust concept must be defined for SIP servers. Which calls are trusted and which are not? A call is trusted if the caller can be identify as a trustable user - a user about we have reliable information.

Since all the user from its domain are authenticated (or should be), a SIP server can consider all the calls generated by its user as trusted. Now we have to extend the trust concept to the multi-domain level. A mutual agreement, between several domains, can establish a trusting relationship. So, a domain (called A) will consider also as trusted calls all the calls generated by user from a different domain (called B) and vice-versa. But just an agreement is not enough; since the authentication information is strictly limited to a domain (a domain can authenticate only its own user, not the user from other domains), there is still the problem of checking the authenticity of the caller - he can impersonate (by a false FROM header) a user from a domain that is trusted.

The answer to this problem is TLS (Transport Layer Security). All calls via domain A and domain B will be done via TLS. Authentication in origin domain plus TLS transport between domains will make the call 100% trusted for the target domain.

For such a mechanism to work, the following requirements must be met:

  • all UA must have set as outbound proxy their home server.

  • all SIP servers must authenticated all the calls generated by their own users.

  • all SIP servers must relay the calls generated be their user to a trusted domain via TLS.

Based on this, a server can classify as trusted a call for one of its user only if the call is also generated by one of its users or is the call is received from a trusted domain ( which is equivalent with a call received via TLS). Untrusted call will be calls received from users belonging to untrusted domains or from users from trusted domains, but whose calls are not routed via their home server (so, they are not authenticated by there home servers).

Once the server is able to tell if the call is trusted or not, the still open issue is about the mechanism used by server to notify the called user about the nature of the incoming call.

One way to do it is by remotely changing the ringing type of the called user's phone. This can be done by inserting special header into the INVITE request. Such feature is supported by now by several hardphones like CISCO ATA, CISCO 7960 and SNOM. This phones can change their ringing tone based on the present or content of the "Alert-Info" SIP header as follows:

  • CISCO ATA - it has 4 pre-defined ringing types. The Alert-Info header must look like Alert-info: Bellcore-drX EOH where X can be between 1 and 4. Note that 1 is the phone default ringing tone.

  • CISCO 7960 - it has 2 pre-defined ringing types and the possibility of uploading new ones. The Alert-Info header must look like Alert-info: X EOH where X can be whatever number. When this header is present, the phones will not change the ringing tone, but the ringing pattern. Normally, the phone rings like [ring.........ring..........ring] where [ring] is the ringing tone; if the header is present, the ringing pattern will be [ring.ring.........ring.ring........]. So, to be able to hear some difference between the two patterns (and not only as length), its strongly recommended to have a highly asymmetric ringing type (as the pre-defined are not!!).

  • SNOM - The Alert-Info header must look like Alert-info: URL EOH" where URL can be a HTTP URL (for example) from where the phone can retrieve a ringing tone.

1.4. Dependencies

1.4.1. OpenSIPS Modules

The following modules must be loaded before this module:

  • tls_mgm.

1.4.2. Dependencies of external libraries

OpenSIPS TLS v1.0 support requires the following packages:

  • openssl or libssl >= 0.9.6

  • openssl-dev or libssl-dev

OpenSIPS TLS v1.1/1.2 support requires the following packages:

  • openssl or libssl >= 1.0.1e

  • openssl-dev or libssl-dev

1.5. OpenSIPS Exported parameters

All these parameters can be used from the opensips.cfg file, to configure the behavior of OpenSIPS-TLS.

1.5.1. listen=interface

Not specific to TLS. Allows to specify the protocol (udp, tcp, tls), the IP address and the port where the listening server will be.

Example 1.1. Set listen variable

...
listen = tls:1.2.3.4:5061
...
				

1.5.2. tls_port (integer)

The default port to be used for all TLS related operation. Be careful as the default port impacts both the SIP listening part (if no port is defined in the TLS listeners) and the SIP sending part (if the destination URI has no explicit port).

If you want to change only the listening port for TLS, use the port option in the SIP listener defintion.

Default value is 5061.

Example 1.2. Set tls_port variable

...
modparam("proto_tls", "tls_port", 5062)
...
				

1.5.3. tls_crlf_pingpong (integer)

Send CRLF pong (\r\n) to incoming CRLFCRLF ping messages over TLS. By default it is enabled (1).

Default value is 1 (enabled).

Example 1.3. Set tls_crlf_pingpong parameter

...
modparam("proto_tls", "tls_crlf_pingpong", 0)
...

1.5.4. tls_crlf_drop (integer)

Drop CRLF (\r\n) ping messages. When this parameter is enabled, the TLS layer drops packets that contains a single CRLF message. If a CRLFCRLF message is received, it is handled according to the tls_crlf_pingpong parameter.

Default value is 0 (disabled).

Example 1.4. Set tls_crlf_drop parameter

...
modparam("proto_tls", "tls_crlf_drop", 1)
...

1.5.5. tls_max_msg_chunks (integer)

The maximum number of chunks that a SIP message is expected to arrive via TLS. If a packet is received more fragmented than this, the connection is dropped (either the connection is very overloaded and this leads to high fragmentation - or we are the victim of an ongoing attack where the attacker is sending the traffic very fragmented in order to decrease server performance).

Default value is 4.

Example 1.5. Set tls_max_msg_chunks parameter

...
modparam("proto_tls", "tls_max_msg_chunks", 8)
...

Chapter 2. Frequently Asked Questions

2.1.

Where can I post a question about TLS?

Use one (the most appropriate) of the OpenSIPS mailing lists:

Remember: first at all, check if your question wasn't already answered.

2.2.

How can I report a bug?

Accumulate as much as possible information (OpenSIPS version, opensips -V output, your OS (uname -a), OpenSIPS logs, network dumps, core dump files, configuration file) and send a mail to http://lists.opensips.org/cgi-bin/mailman/listinfo/devel

Also you may try OpenSIPS's bug report web page: http://www.opensips.org/pmwiki.php?n=Development.Tracker

2.3.

How can I debug ssl/tls problems?

Increase the log level in opensips.cfg (log_level=4) and watch the log statements in syslog.

Install the ssldump utility and start it. This will give you a trace of the ssl/tls connections.

2.4.

What is the difference between the TLS directory and the TLSOPS module directory?

The code in the TLS directory implements the TLS transport layer. The TLSOPS module implements TLS related functions which can be used in the routing script.

2.5.

Where can I find more about OpenSIPS?

Take a look at http://www.opensips.org/.

2.6.

Where can I post a question about this module?

First at all check if your question was already answered on one of our mailing lists:

E-mails regarding any stable OpenSIPS release should be sent to and e-mails regarding development versions should be sent to .

If you want to keep the mail private, send it to .

2.7.

How can I report a bug?

Please follow the guidelines provided at: https://github.com/OpenSIPS/opensips/issues.