MYVOIPAPP

SIP over TLS

1. Description

By default, most SIP devices use SIP over UDP as their main protocol, but for some other SIP devices or VoIP system, they require SIP over TLS, specially for some enterprise unified communication servers.

MSS V13.1 or above versions can support SIP over UDP/TCP/TLS. The network topology can be following type:

MSS network topology with SIP over UDP, TCP and TLS

At this time, MSS can only support local users (SIP phones) with TLS. That means you can not configure "SIP server" or "External lines" with SIP over TLS.

By default, MSS only uses TLSv1.2 method at this time. SSLv2, SSLv3, TLSv1 and TLSv1.1 have been discarded. Please make sure of your SIP phones can support TLSv1.2. In future, we will enable TLSv1.3 and other more safer methods.

2. Configuration

You only need indicate MSS to load your own certificate file and private key file. Both these files must be PEM format. Certificate file must be renamed to 'server.crt' and private key file must be renamed to 'server.key'. They should be saved in the sub-directory 'cert'.

For example, if you are using Windows version and MSS is installed in 'D:/myvoipapp/minisipserver' directory. Then you must save your certificate file to be 'D:/myvoipapp/minisipserver/cert/server.crt', and priviate file should be saved as 'D:/myvoipapp/minisipserver/cert/server.key'.

If you are using Ubuntu/Linux version, MSS is installed at '/opt/sipserver/' directory. Then your certificate file should be saved to '/opt/sipserver/cert/server.crt' and private key file should be saved to '/opt/sipserver/cert/server.key'.

After that, please restart MSS. If everything is ok, MSS should prompt SIP-TLS information in the main window. Then SIP phones can use your CA file to work with MSS by using TLS.

3. F.A.Q
Q1: Can I use another TCP port to start TLS?

By default, MSS use standard TCP port 5061 to start TLS, but you are still able to change this port to any others you wish, for example 5062. In the MSS main window, please click menu "Data / System / SIP", then configure 'TLS port" item. After that, please remember to restart MSS to enable new port. Please refer to following figure.

TLS port in system configuration
Q2: Can I use my own self-signed certificate files?

Sure, you can. In fact, we also do that in our lab. We need mention that you need configure your MSS IP address or domain name as "common name" when you create your own self-signed files.

We usually use openSSL to create all necessary certificate files, please refer to following commands.

(1) openssl genrsa -out server.key 2048
(2) openssl req -new -key server.key -out server.csr
(3) openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt     
        
Q3: Please suggest a SIP phone with SIP over TLS

We strongly suggest microSIP. Please click here to visit its website to get more details.

It is quite easy to register microSIP to miniSIPServer with SIP over TLS. For example, here is a demo miniSIPServer in our lab.

server address: 192.168.3.16
TLS port: 5061
Local user name: 101
        

Please refer to following figure for the details of microSIP configuration.

SIP over TLS configuration in microSIP

In "Q1", we have changed the TLS port to 5062 which is not the default TLS port, then we must indicate it very clearly in microSIP configuration. Please refer to following figure.

SIP over TLS with special port configuration in microSIP

If microSIP registers to miniSIPServer successfully, its icon will have a special lock flag.

microSIP works on SIP over TLS