SIP over TLS

1. Description

By default, most SIP devices use SIP over UDP as their main protocol, but for some other SIP devices or VoIP system, they require SIP over TLS, specially for some enterprise unified communication servers.

miniSIPServer V13.1 or above versions can support SIP over UDP/TCP/TLS. The network topology can be following type:

miniSIPServer network topology with SIP over UDP, TCP and TLS

At this time, miniSIPServer can only support local users (SIP phones) with TLS. That means you can not configure "SIP server" or "External lines" with SIP over TLS.

By default, miniSIPServer only uses TLSv1.2 method at this time. SSLv2, SSLv3, TLSv1 and TLSv1.1 have been discarded. Please make sure of your SIP phones can support TLSv1.2. In future, we will enable TLSv1.3 and other more safer methods.

2. Configuration

You only need indicate miniSIPServer to load your own certificate file and private key file. Both these files must be PEM format. Certificate file must be renamed to 'server.crt' and private key file must be renamed to 'server.key'. They should be saved in the 'siptlsCert' subdirectory which can be found in AppData directory.

For example, if you are using Windows version and miniSIPServer AppData directory is 'C:\Users\your_name\AppData\Roaming\minisipserver' directory. Then you must save your certificate file to be 'C:\Users\your_name\AppData\Roaming\minisipserver\siptlsCert\server.crt', and priviate file should be saved to be 'C:\Users\your_name\AppData\Roaming\minisipserver\siptlsCert\server.key'.

If you are using Ubuntu/Linux version, miniSIPServer AppData directory is '/home/your_name/.minisipserver'. Then your certificate file should be saved to be '/home/your_name/.minisipserver/siptlsCert/server.crt' and private key file should be saved to be '/home/your_name/.minisipserver/siptlsCert/server.key'.

After that, please restart miniSIPServer. If everything is ok, miniSIPServer should prompt SIP-TLS port information in its main window.

3. F.A.Q
Q1: Can I use another TCP port to start TLS?

By default, miniSIPServer use standard TCP port 5061 to start TLS, but you are still able to change this port to any others you wish, for example 5062. In the miniSIPServer main window, please click menu "Data / System / SIP", then configure 'TLS port" item. After that, please remember to restart miniSIPServer to enable new port. Please refer to following figure.

TLS port in system configuration
Q2: Can I use my own self-signed certificate files?

Sure, you can. In fact, we also do that in our lab. We need mention that you need configure your miniSIPServer IP address or domain name as "common name" when you create your own self-signed files.

We usually use openSSL to create all necessary certificate files, please refer to following commands.

(1) openssl genrsa -out server.key 2048
(2) openssl req -new -key server.key -out server.csr
(3) openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt     
Q3: Please suggest a SIP phone with SIP over TLS

We strongly suggest microSIP. Please click here to visit its website to get more details.

It is quite easy to register microSIP to miniSIPServer with SIP over TLS. For example, here is a demo miniSIPServer in our lab.

server address:
TLS port: 5061
Local user name: 101

Please refer to following figure for the details of microSIP configuration.

SIP over TLS configuration in microSIP

In "Q1", we have changed the TLS port to 5062 which is not the default TLS port, then we must indicate it very clearly in microSIP configuration. Please refer to following figure.

SIP over TLS with special port configuration in microSIP

If microSIP registers to miniSIPServer successfully, its icon will have a special lock flag.

microSIP works on SIP over TLS