Starting from Sippy2021 the UI to setup TLS traffic processing was implemented. In order to use this feature, the version of OpenSIPS used for Environment should be >=3.1


More basic information regarding TLS could be found in Wikipedia for example.

Note, setup of Authentication and Termination in Sippy is out of scope of this documentation. If needed, check System Concepts section, e.g. https://support.sippysoft.com/a/solutions/articles/77553


Authorization of incoming TLS calls

In order to authenticate the TLS traffic it's required to assign the TLS certificate with the required TLS method to selected Network Listener (IP:port) on Incoming SIP TLS Connections page:

By default 5061 TCP port and all IP addresses assigned to Environment accept incoming traffic.

All external TLS communication within Environment is allowed only from OpenSIPS ports, it's not possible to send outgoing INVITE with TLS from port of b2bua.


1. Make sure that IP address of traffic originator is allowed on System Management - System Parameters - IP Firewall in SIP/TLS section:

2. Then add the new TLS certificate from System Management - System Parameters - SSL Certificates. 

Note - certificate should be valid, expired certificate can not be used to establish TLS connection.

3. Now setup the added certificate in System Management - System Parameters - Incoming SIP TLS Connections


4. Changes would be applied in about a minute - after that the test call could be sent through this vendor.

5. Sippy Softswitch demands the CA certificate from the caller so it should be configured on caller's end.




Termination the outgoing call to Vendor via TLS 

1. Make sure that IP address of traffic receiver (Vendor) is allowed on System Management - System Parameters - IP Firewall in SIP/TLS section:

 

2. Then add the new TLS certificate from System Management - System Parameters - SSL Certificates. 

Note - certificate should be valid, expired certificate can not be used to establish TLS connection.


3. An optional CA list could be added with root certificate that is chained with previously added SSL certificate. It is used to perform additional verification of SSL certificate of vendor with certificate of CA Authority that is trusted. Addition is performed from System Management - System Parameters - CA Lists.


4. Now open Vendors - My Vendors - Vendors page, choose needed Vendor and click Open Connections button, then either create new Connection or adjust existing:


5. Set Protocol = SIP/TLS, press Save and Close to get back to list of Connections:



6. Choose SIP TLS Options from Advanced Preferences of Connection:


7. Specify the SSL Certificate added in 2nd step, CA List if needed and choose needed TLS Method


8. Changes would be applied in about a minute - after that the test call could be sent through this vendor.


Scenario with Registered UA

In >=2021 version a new setting was added to the menu - System Vendor - System Connection - SIP TLS Options

It allows to setup the Certificate, CA list and TLS Method for System vendor-System connection that are used in scenario with Registered UA. This is Environment-wide setting available under System Management - System Parameters.

Example of generation of TLS root certificate (CA list), client certificate and key

$ mkdir /var/tmp/123
$ cd /var/tmp/123
$ /usr/local/bin/openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -subj "/CN=test.domain.com/C=US/L=San Fransisco" -keyout ca_test.domain.com.key -out ca_test.domain.com.crt
Generating a RSA private key
.................................................+++++
...+++++
writing new private key to 'ca_test.domain.com.key'
-----
$ /usr/local/bin/openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
..............+++++
e is 65537 (0x010001)
$ cat > csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = California
L = San Fransisco
O = TestHub
OU = TestHub Dev
CN = test.domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = test.domain.com
DNS.2 = www.test.domain.com

EOF
$ /usr/local/bin/openssl req -new -key server.key -out server.csr -config csr.conf
$ cat > cert.conf <<EOF

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = test.domain.com

EOF
$ /usr/local/bin/openssl x509 -req -in server.csr -CA ca_test.domain.com.crt -CAkey ca_test.domain.com.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile cert.conf
Signature ok
subject=C = US, ST = California, L = San Fransisco, O = TestHub, OU = TestHub Dev, CN = test.domain.com
Getting CA Private Key
$ ls
ca_test.domain.com.crt  ca_test.domain.com.srl  csr.conf                server.csr
ca_test.domain.com.key  cert.conf               server.crt              server.key

After following the steps above ca_test.domain.com.crt should be added to CA lists while server.crt and server.key should be added to SSL Certificates

SSL Certificate entity and CA list entity later could be used in TLS setup as suggested above.