TLS Parameters

The Transport Layer Security (TLS) parameters are described in the table below.

TLS Parameters

Parameter

Description

'TLS Client Re-Handshake Interval'

configure network > security-settings > tls-re-hndshk-int

[TLSReHandshakeInterval]

Defines the time interval (in minutes) between TLS Re-Handshakes initiated by the device.

The interval range is 0 to 1,500 minutes. The default is 0 (i.e., no TLS Re-Handshake).

'TLS Mutual Authentication'

configure network > security-settings > SIPSREQUIRECLIENTCERTIFICATE

[SIPSRequireClientCertificate]

Defines the device's mode of operation regarding mutual authentication and certificate verification for TLS connections.

[0] Disable = (Default)
Device acts as a client: Verification of the server’s certificate depends on the VerifyServerCertificate parameter.
Device acts as a server: The device does not request the client certificate.
[1] Enable =
Device acts as a client: Verification of the server certificate is required to establish the TLS connection.
Device acts as a server: The device requires the receipt and verification of the client certificate to establish the TLS connection.

Note:

This feature can be configured per SIP Interface (see Configuring SIP Interfaces).
The SIPS certificate files can be changed using the parameters HTTPSCertFileName and HTTPSRootFileName.

'Peer Host Name Verification Mode'

configure network > security-settings > PEERHOSTNAMEVERIFICATIONMODE

[PeerHostNameVerificationMode]

Enables the device to verify the Subject Name of a TLS certificate received from SIP entities for authentication and establishing TLS connections.

[0] Disable (default)
[1] Server Only = Verify Subject Name only when acting as a client for the TLS connection.
[2] Server & Client = Verify Subject Name when acting as a server or client for the TLS connection.

If the device receives a certificate from a SIP entity (IP Group) and the parameter is configured to Server Only or Server & Client, it attempts to authenticate the certificate based on the certificate's address.

The device searches for a Proxy Set that contains the same address (IP address or FQDN) as that specified in the certificate's SubjectAltName (Subject Alternative Names). For Proxy Sets with an FQDN, the device checks the FQDN itself and not the DNS-resolved IP addresses. If a Proxy Set is found with a matching address, the device establishes a TLS connection.

If a matching Proxy Set is not found, one of the following occurs:

If the certificate's SubjectAltName is marked as "critical", the device rejects the call.
If the SubjectAltName is not marked as "critical", the device checks if the FQDN in the certificate's Common Name (CN) of the SubjectName is the same as that configured for the TLSRemoteSubjectName parameter or for the Proxy Set. If they are the same, the device establishes a TLS connection; otherwise, the device rejects the call.

Note:

If you configure the parameter to Server & Client, you also need to configure the SIPSRequireClientCertificate parameter to Enable.
For FQDN, the certificate may use wildcards (*) to replace parts of the domain name.

'TLS Client Verify Server Certificate'

configure network > security-settings > tls-vrfy-srvr-cert

[VerifyServerCertificate]

Determines whether the device, when acting as a client for TLS connections, verifies the Server certificate. The certificate is verified with the Root CA information.

[0] Disable (default)
[1] Enable

Note: If Subject Name verification is necessary, the parameter PeerHostNameVerificationMode must be used as well.

'TLS Remote Subject Name'

configure network > security-settings > tls-rmt-subs-name

[TLSRemoteSubjectName]

Defines the Subject Name that is compared with the name defined in the remote side certificate when establishing TLS connections.
If the SubjectAltName of the received certificate is not equal to any of the defined Proxies Host names/IP addresses and is not marked as 'critical', the Common Name (CN) of the Subject field is compared with this value. If not equal, the TLS connection is not established. If the CN uses a domain name, the certificate can also use wildcards (‘*’) to replace parts of the domain name.

The valid range is a string of up to 49 characters.

Note: The parameter is applicable only if the parameter PeerHostNameVerificationMode is set to 1 or 2.

'TLS Expiry Check Start'

expiry-check-start

[TLSExpiryCheckStart]

Defines when the device sends an SNMP alarm (acCertificateExpiryAlarm) to notify that the installed TLS server certificate is about to expire. This is defined by the number of days before the certificate's expiration date. For example, if configured to 5, the alarm is sent 5 days before the expiration date. For more information on the alarm, refer to the SNMP Reference Guide.

The valid value is 0 to 3650. The default is 60.

'TLS Expiry Check Period'

expiry-check-period

[TLSExpiryCheckPeriod]

Defines the periodical interval (in days) for checking the TLS server certificate expiry date.

The valid value is 1 to 3650. The default is 7.