TLS Parameters

The Transport Layer Security (TLS) parameters are described in the table below.

TLS Parameters

Parameter

Description

'TLS Client Re-Handshake Interval'

configure network > security-settings > tls-re-hndshk-int

[TLSReHandshakeInterval]

Defines the time interval (in minutes) between TLS Re-Handshakes initiated by the device.

The interval range is 0 to 1,500 minutes. The default is 0 (i.e., no TLS Re-Handshake).

'TLS Mutual Authentication'

configure network > security-settings > sips-require-client-certificate

[SIPSRequireClientCertificate]

Defines the device's mode of operation regarding mutual authentication and certificate verification for TLS connections.

[0] Disable = (Default)
Device acts as a client: Verification of the server’s certificate depends on the [VerifyServerCertificate] parameter.
Device acts as a server: The device doesn't request the client certificate.
[1] Enable =
Device acts as a client: Verification of the server certificate is required to establish the TLS connection.
Device acts as a server: The device requires the receipt and verification of the client certificate to establish the TLS connection.

Note:

You can configure this feature per SIP Interface (see Configuring SIP Interfaces).
You can change the SIPS certificate files using the [HTTPSCertFileName] and [HTTPSRootFileName] parameters.

'Peer Host Name Verification Mode'

configure network > security-settings > peer-hostname-verification-mode

[PeerHostNameVerificationMode]

Enables the device to verify the Subject Name of a TLS certificate received from SIP entities for authentication and establishing TLS connections.

[0] Disable = (Default) No certificate verification is done.
[1] Server Only = The device verifies the certificate's Subject Name only when it acts as a client for the TLS connection.
[2] Server & Client = The device verifies the certificate's Subject Name when it acts as a server or client for the TLS connection.

If the device receives a certificate from a SIP entity (IP Group) and the parameter is configured to Server Only or Server & Client, it attempts to authenticate the certificate based on the certificate's address:

1. If the connection was classified to a Proxy Set, the device compares the certificate's Subject Alternative Names (SANs) with the Proxy Set's addresses (IP address or FQDN). The device checks the FQDN itself and not the DNS-resolved IP addresses.
2. If a SAN matches an address, the device considers the certificate as valid and establishes the TLS connection and allows the call.
3. If there is no match and the SAN is marked as "critical", the device rejects the call. If there is no match and the SAN isn't marked as "critical", the device compares the Proxy Set's 'TLS Remote Subject Name' parameter value (or global [TLSRemoteSubjectName] parameter) with the certificate's Common Name (CN). If they match, the device establishes the TLS connection and allows the call; otherwise, the device rejects the call.

Note:

You can configure this functionality per Proxy Set (see Configuring Proxy Sets). If configured for a Proxy Set, the Proxy Set's settings override this global parameter's settings.
If you configure the parameter to Server & Client, configure the [SIPSRequireClientCertificate] parameter to Enable.
For FQDN, the certificate may use wildcards (*) to replace parts of the domain name.

'TLS Remote Subject Name'

configure network > security-settings > tls-rmt-subs-name

[TLSRemoteSubjectName]

Defines the Subject Name of the TLS certificate received from the remote side when establishing TLS connections.

When the device receives the certificate from the remote side, it validates the certificate by comparing the certificate's Subject Alternative Names (SANs) with the Proxy Set's addresses (IP address and FQDN). If a SAN matches an address, the device considers the certificate as valid and establishes the TLS connection.

If there is no match and the SAN is marked as "critical", the device doesn't establish a TLS connection and rejects the call. If there is no match and the SAN isn't marked as "critical", the device compares the parameter's value with the certificate's Common Name (CN). If they match, the device establishes a TLS connection; otherwise, the device doesn't establish a TLS connection and rejects the call.

The valid range is a string of up to 49 characters.

Note:

You can configure this functionality per Proxy Set (see Configuring Proxy Sets). If configured for a Proxy Set, the Proxy Set's settings override this global parameter's settings.
If the CN uses a domain name, the certificate can also use wildcards (‘*’) to replace parts of the domain name.
The parameter is applicable only if you configure the global parameter [PeerHostNameVerificationMode] or Proxy Set parameter 'Peer Host Name Verification Mode' to Server Only or Server & Client.

'TLS Client Verify Server Certificate'

configure network > security-settings > tls-vrfy-srvr-cert

[VerifyServerCertificate]

Enables the device, when acting as a client for TLS connections, to verify the Server certificate. The certificate is verified with the Root CA information.

[0] Disable (default)
[1] Enable

Note: If Subject Name verification is necessary, configure the [PeerHostNameVerificationMode] parameter as well.

'TLS Expiry Check Start'

configure network > security-settings > tls-expiry-check-start

[TLSExpiryCheckStart]

Defines when the device sends an SNMP alarm (acCertificateExpiryAlarm) to notify that the installed TLS server certificate (of TLS Contexts) is about to expire. This is defined by the number of days before the certificate's expiration date. For example, if configured to 5, the alarm is sent 5 days before the expiration date. For more information on the alarm, refer to the SBC-Gateway Series SNMP Alarm Reference Guide.

The valid value is 0 to 3650. The default is 60.

'TLS Expiry Check Period'

configure network > security-settings > tls-expiry-check-period

[TLSExpiryCheckPeriod]

Defines the periodical interval (in days) for checking the TLS server certificate expiry date (of TLS Contexts).

The valid value is 1 to 3650. The default is 7.