TLS for SIP Clients

When Secure SIP (SIPS) is implemented using TLS, it is sometimes required to use two-way (mutual) authentication between the device and a SIP user agent (client). When the device acts as the TLS server in a specific connection, the device demands the authentication of the SIP client’s certificate. Both the device and the client use certificates from a CA to authenticate each other, sending their X.509 certificates to one another during the TLS handshake. Once the sender is verified, the receiver sends its' certificate to the sender for verification. SIP signaling starts when authentication of both sides completes successfully.

TLS mutual authentication can be configured for all calls (globally), or for specific calls by enabling mutual authentication for the associated SIP Interface. The TLS Context associated with the SIP Interface or Proxy Set belonging to these calls are used.

➢

To configure mutual TLS authentication for SIP messaging:

1.

Enable two-way authentication:

●

Globally (for all calls):

i.

Open the Security Settings page (Setup menu > IP Network tab > Security folder > Security Settings).

ii.

Select the 'TLS Mutual Authentication' check box [SIPSRequireClientCertificate]:

●

For specific SIP Interface:

i.

Open the SIP Interfaces table (see Configuring SIP Interfaces).

ii.

Configure the 'TLS Mutual Authentication' parameter to Enable.

2.

Configure a TLS Context with the following certificates:

●

Import the certificate of the CA that signed the certificate of the SIP client into the Trusted Certificates table (certificate root store) so that the device can authenticate the client (see Importing Certificates into Trusted Root CA Certificate Store).

●

Make sure that the TLS certificate is signed by a CA that the SIP client trusts so that the client can authenticate the device.