Using TLS

From reSIProcate
Revision as of 21:00, 26 April 2011 by Pckizer (talk | contribs) (convert another page with sample code to display it in syntax-highlighted form)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Adding a TLS transport[edit]

In order to use a TLS transport you must

  • compile the resiprocate project with the USE_SSL pre-processor define enabled
  • create a Security object before creating a SipStack - pass the certificate file location to the Security constructor (default on windows is c:\sipCerts and default on linux is ~/.sipCerts/
  • pass the created Security object to the SipStack constructor
  • add a TLS transport by using the addTransport method of the SipStack interface (or DialogUsageManager interface - if using DUM):
      /** 
         Used by the application to add in a new built-in transport.  The transport is
         created and then added to the Transport Selector.
 
         @throws Transport::Exception If the transport couldn't be added, usually
                                      because the port was already bound.
 
         @param protocol              TCP, UDP, TLS, DTLS, etc.
 
         @param port                  Specifies which port to bind to.
 
         @param version               Protocol Version:  V4 or V6
 
         @param ipInterface           Specifies which ethernet interface to bind to. If set to 
                                      Data::Empty, bind to all interfaces.
 
         @param sipDomainname         Only allow messages to 
                                      be sent as the specified domain.  For default case, 
                                      you can pass in domainname = DnsUtil::getLocalDomainName().
 
         @param privateKeyPassPhrase  Private key pass phrase used to decrypt private key 
                                      certificates.  Note:  For now this parameter is not used
                                      we are loading PKCS7 keys, so a pass phrase is not required.
 
         @param sslType               Version of the TLS specification to use:  SSLv23 or TLSv1
      */      
      Transport* addTransport( TransportType protocol,
                         int port, 
                         IpVersion version=V4,
                         StunSetting stun=StunDisabled,
                         const Data& ipInterface = Data::Empty, 
                         const Data& sipDomainname = Data::Empty, // only used
                                                                  // for TLS
                                                                  // based stuff 
                         const Data& privateKeyPassPhrase = Data::Empty,
                         SecurityTypes::SSLType sslType = SecurityTypes::TLSv1);
  • For acting as a TLS server - ensure a domain_cert_<domainname>.pem and domain_key_<domainname>.pem exists in the certificate store for the domainname bound to this transport
  • For acting as a TLS client - ensure the proper certificate authority certificates (root_cert_<CA>.pem) exist in the certificate store


Cerificate Types and Naming conventions[edit]

There are five types of certificates that can be used by the resiprocate stack:

Root Certificates[edit]

Contains available public keys for CA's (Certificate Authorities)

root_cert_<name>.pem

eg.
    root_cert_verisign.pem
    root_cert_mycertauth.pem

Domain Ceritificates and Keys[edit]

Contains available certificates and private keys for the domains the system serves

domain_cert_<domainname>.pem
domain_key_<domainname>.pem

eg. 
    domain_cert_sip.example.com.pem
    domain_key_sip.example.com.pem

User Certificates and Keys[edit]

Contains available certificates and private keys for specific users (used for S/MIME)

user_cert_<username>.pem
user_key_<username>.pem