SIP over TLS

1. Description

By default, most SIP devices use SIP over UDP as their main protocol, but for some other SIP devices or VoIP system, they require SIP over TLS, specially for some enterprise unified communication servers.

MSS V13.1 or above versions can support SIP over UDP/TCP/TLS. The network topology can be following type:

MSS network topology with SIP over UDP, TCP and TLS

At this time, MSS can only support local users (SIP phones) with TLS. That means you can not configure "SIP server" or "External lines" with SIP over TLS.

2. Configuration

You only need indicate MSS to load your own certificate file and private key file. Both these files must be PEM format. Certificate file must be renamed to 'server.crt' and private key file must be renamed to 'server.key'. They should be saved in the sub-directory 'cert'.

For example, if you are using Windows version and MSS is installed in 'D:/myvoipapp/minisipserver' directory. Then you must save your certificate file to be 'D:/myvoipapp/minisipserver/cert/server.crt', and priviate file should be saved as 'D:/myvoipapp/minisipserver/cert/server.key'.

If you are using Ubuntu/Linux version, MSS is installed at '/opt/sipserver/' directory. Then your certificate file should be saved to '/opt/sipserver/cert/server.crt' and private key file should be saved to '/opt/sipserver/cert/server.key'.

After that, please restart MSS. If everything is ok, MSS should prompt SIP-TLS information in the main window. Then SIP phones can use your CA file to work with MSS by using TLS.

3. F.A.Q
Q1: Can I use another TCP port to start TLS?

By default, MSS use standard TCP port 5061 to start TLS, but you are still able to change this port to any others you wish, for example 5062. In the MSS main window, please click menu "Data / System / SIP", then configure 'TLS port" item. After that, please remember to restart MSS to enable new port. Please refer to following figure.

TLS port in system configuration
Q2: Can I use my own self-signed certificate file?

Sure, you can. In fact, we also do that in our lab. We need mention that you need configure your MSS IP address or domain name as "common name" when you create your own self-signed files. In anther way, your SIP phones must use your own CA file.