From 938b38b1ea8d2a271c833cda4a8db59d53aa317b Mon Sep 17 00:00:00 2001 From: iplahte Date: Mon, 11 Nov 2024 20:45:11 -0700 Subject: [PATCH] Security config updates --- sipXwiki/security.rst | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/sipXwiki/security.rst b/sipXwiki/security.rst index a95e8f4096..45c81de721 100644 --- a/sipXwiki/security.rst +++ b/sipXwiki/security.rst @@ -4,25 +4,38 @@ Security =================== -sipXcom supports both secure signaling (TLS) and encrypted media (SRTP) for both trunks and extensions. +sipXcom supports a secure web interface, secure trunking and secure extensions via standard HTTPS, TLS, and SRTP protocols. + +Certificates +---------------------- + +SSL certificates for sipXcom are configured under Settings - Security - Certificates. + +Here you can enable a Let's Encrypt service that automatically generates and installs a valid SSL web certificate. Let's Encrypt certificates are authorized by the Internet Security Research Group (ISRG Root X1). +You may also import your own web certificates. + +sipXcom also supports both secure signaling (TLS) and encrypted media (SRTP) for both trunks and extensions. +If you want to use SRTP for encrypted media, you must ensure all endpoints connected to sipXcom support SRTP, or calls may fail to connect. + +.. note:: + * The Let's Encrypt web certificate is reused in the sipXcom built in SBC used for SIP trunking. + * SIP extensions use automatically generated and auto-provisioned self-signed SSL certs. -If you want to use SRTP for encrypted media, you must ensure ALL endpoints connected to sipXcom support SRTP, or calls may fail to connect. Secure Trunking ---------------------- -sipXcom supports secure trunking in its internal SBC on port 5081. +sipXcom supports secure trunking for its built in SBC on port 5081. These are the sipXcom config changes required to enable secure trunking for both signaling (TLS) and media (SRTP): - Under Gateway configuration, select TLS as transport protocol and connect to the ITSP using a security enabled port such as 5061. -- The remote ITSP should connect to port 5081 on sipXcom. +- The remote ITSP should be configured to connect secure trunks to port 5081 on sipXcom. -- Under System - Services - Media Services - Server check Secure RTP if you want to encrypt media with SRTP. +- Under System - Services - Media Services - Server check Secure RTP if you want to encrypt all media with SRTP. .. note:: - * The Letsencrypt Web SSL security certs under Security settings are automatically reused for the internal SBC. * The sipXcom SBC supports SDES type SRTP media negotiations, not DTLS as is common with WebRTC. To test you have a valid public SSL cert on your SBC port 5081, run the following command: @@ -41,11 +54,11 @@ Extensions may also connect securely to sipXcom's SIP proxy on port 5061 (defaul - E.g. for Polycoms, under Security, select both Enable SRTP and Require SRTP .. note:: - * Unlike secure trunking, extensions use self-signed SSL certs as configured under SIP certs under Security settings. - * This means SIP extensions must have SSL cert validity checks disabled. + * Since SIP extension certificates are self generated, IP phones using TLS must have SSL cert validity checks disabled. To check port 5061 is enabled to receive TLS connections, you may run the following command: -* .. code-block:: bash + + .. code-block:: bash openssl s_client -connect :5081