1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fmodern\fprq1\fcharset0 Courier New;}{\f1\fnil\fprq1\fcharset0 Courier New;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\b\f0\fs24 Using TLS and sipXtapi\fs20\par
\par
Introduction\par
\b0 Secure signalling in sipXtapi can be achieved by using the TLS (SSL) features. TLS has\par
been implemented using the Netscape Security Services api (NSS). More on NSS is\par
available at http://www.mozilla.org/projects/security/pki/nss/overview.html\par
\par
\b Runtime requirements\b0\par
\tab NSS binaries\par
\tab sipXtapi requires that the runtime DLLs of NSS (version 3.9) and \par
\tab NSPR (version 4.4.1) be present in the working\par
\tab directory, as siblings of the sipXtapi.dll.\par
\tab Below is the list of required DLLs:\par
\tab\tab nspr4.dll\par
\tab\tab nss3.dll\par
\tab\tab nssckbi.dll\par
\tab\tab plc4.dll\par
\tab\tab plds4.dll\par
\tab\tab sipXtapid.dll\par
\tab\tab smime3.dll\par
\tab\tab softokn3.dll\par
\tab\tab ssl3.dll\par
\tab NSS Security Database\par
\tab\tab Another requirement of the TLS feature of sipXtapi is that a valid\par
\tab\tab Certificate Database be created.\par
\tab\tab An NSS Certificate Database can be created with the certutil tool. \par
\tab\tab In addition to creating a Certificate Database, a certificate should\par
\tab\tab also be created for use as an TLS server certificate - \par
\tab\tab this certificate should also specify a "subject alternate name".\par
\tab\tab Documentation for the certutil tool can be found on:\par
\tab\tab http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html\par
\par
\b Enabling TLS\par
\tab\b0 TLS can be enabled by passing some parameters to the sipxInitialize function:\par
\tab TLS Port\tab - Specifying a port value other than SIPX_PORT_DISABLE will\par
\tab\tab\tab cause sipXtapi to attempt to load the NSS runtime binaries and \par
\tab\tab\tab will attempt to create a TLS server on that port.\par
\tab TLSCertificateNickname - Nickname of the certificate to use as an SSL server.\par
\tab TLSCertificatePassword - Password for the certificate database.\par
\tab DbLocation \tab - Path to the certificate database.\par
\tab\tab\tab\b\par
Identities and URIs\par
\tab\b0 Remote parties can be called with TLS signalling in two ways:\par
\tab Transport Tag - \tab Append the tag "transport=tls" to the URI. For example,\par
\tab\tab\tab\tab <sip:115@pingtel.com:5061;transport=tls>\par
\tab\tab\tab\tab The port value should be included, unless the DNS SRV lookup \par
\tab\tab\tab\tab returns the correct port value for TLS.\par
\tab SIPS Scheme - \tab Use the "sips:" scheme instead of "sip:". For example,\par
\tab\tab\tab\tab <sips:115@pingtel.com:5061>\b\par
\par
Event Callbacks\b0\par
\tab When placing or receiving a call over TLS, it is the application's responsibility\par
\tab to either accept or reject the remote party's certificate. The application does\par
\tab this by returning either true (to accept), or false (to reject) from the event\par
\tab callback, when it receives a SECURITY_TLS event with the cause code of\par
\tab\f1 SECURITY_CAUSE_TLS_SERVER_CERTIFICATE. In the info structure for this event,\par
\tab is the certificate pointer (NSS function calls are available for verifying the\par
\tab CA chain), the call handle, and the server's subject alternate name. This\par
\tab information should be sufficient in order to determine whether to accept or\par
\tab to reject the certificate.\f0\par
\par
}
�
|
