TLS for SIP Clients
When Secure SIP (SIPS) is implemented using TLS, it is sometimes required to use two-way (mutual) authentication between the device and a SIP user agent (client). When the device acts as the TLS server in a specific connection, the device demands the authentication of the SIP client’s certificate. Both the device and the client use certificates from a CA to authenticate each other, sending their X.509 certificates to one another during the TLS handshake. Once the sender is verified, the receiver sends its' certificate to the sender for verification. SIP signaling starts when authentication of both sides completes successfully.
TLS mutual authentication can be configured for calls by enabling mutual authentication on the SIP Interface associated with the calls. The TLS Context associated with the SIP Interface or Proxy Set belonging to these calls are used.
SIP mutual authentication can also be configured globally for all calls, using the 'TLS Mutual Authentication' (SIPSRequireClientCertificate) parameter (see Configuring TLS for SIP).
|
➢
|
To configure mutual TLS authentication for SIP messaging: |
|
1.
|
Enable two-way authentication on the specific SIP Interface: In the SIP Interfaces table (see Configuring SIP Interfaces), configure the 'TLS Mutual Authentication' parameter to Enable for the specific SIP Interface. |
|
2.
|
Configure a TLS Context with the following certificates: |
|
●
|
Make sure that the TLS certificate is signed by a CA that the SIP client trusts so that the client can authenticate the device. |