[OpenSIPS-Users] tls algorithms

[Michael Schloh von Bennewitz]

Hello Ajish,

On Tues., Jan. 30, 2013, Ajish ZACHARIAS wrote:
>hai i want to  develop VoIP application actually in that i want implement
>tls on it . iam using opensips 1.4. i want to know how i can generate
>certificate. and lso i want can i use propery algorithms in TLs. If i
>possible kindly tell to me how to integrate properity algorithms in TlS
>
I know that it's no answer to your question, but wouldn't it be
sensible to use a more modern release of OpenSIPS? 1.4 is quite old,
and there have been quite some improvements and corrections to the
TLS transport since then.

In any case, I'm using the TLS transport almost exclusively
with OpenSIPS 1.7.2 (which is old also) and it works well.

I made the certificate request like this:

  $ openssl req -nodes -days 1460 -new -newkey rsa:4096 -keyout hostname-rsa-4096-key.pem -out hostname-rsa-4096-csr.pem

...but I would recommend that you start with a 1024 bit cert
(replace 4096 with 1024 in the command) since some devices
(telephones) can't exchange 4096 bit keys. You also might
want to adjust the '-days' parameter to suit your needs.

If you upgrade to a newer OpenSIPS (maybe 1.6 or newer) then you
have access to the following:

  $ sudo opensipsctl tls

...which might be easier for you to use.

Then either sign the certifigate request 'hostname-rsa-4096-csr.pem
with your own certificate authority root cert (see OpenSSL docs
about this) or upload it to a foreign certificate authority to sign.

Then use the certificate that the CA returns like this:

disable_tls       = 0
tls_method        = TLSv1

tls_ciphers_list  = "HIGH:MEDIUM:!ADH"  # openssl ciphers -v HIGH:MEDIUM
tls_certificate   = "hostname-rsa-4096-crt.pem"
tls_private_key   = "hostname-rsa-4096-key.pem"
tls_ca_list       = "public-ca.crt.pem"

listen = udp:sip.myhostname.com:5060
listen = tcp:sip.myhostname.com:5060
listen = tls:sip.myhostname.com:5061

That's a good enough start. Try it out and report how far you get.

Regards,
Michael