TLS

 

Overview

Transport Layer Security(TLS) is a successor to Secure Sockets Layer protocol, or SSL are cryptographic protocols that provide communications security over computer network.
The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications.
There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same.
TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity.

VEGA supports Transport Layer Security (TLS) to secure the signalling in between the VEGA and its peer.

NOTE: VEGA should and must have TLS license in order to support TLS/HTTPS functionality.

Configuration

VEGA should use signalling transport as “TLS” to ensure secure signalling with remote end.
This can be achieved by configuring Transport as present with in “SIP Profile” under “SIP Tab” of “Expert Config Section” (i.e. Expert Config -> SIP -> SIP Profile) as show below:

Now, edit "Transport" options as present within "SIP Profile Configuration " (i.e.SIP Profile Configuration -> Transport) as show below:

Further configuration with respect to TLS on VEGA can be sub-divided in to two different sections:

  1. TLS Port Configuration

  2. Creating and Uploading TLS Certificate

TLS Port Configuration

TLS port configuration is present in "SIP Configuration” under “SIP Tab” of “Expert Config Section” (i.e. Expert Config  -> SIP -> SIP Configuration and edit  Local SIP TLS Port) as show below:

By default, SIP TLS port is configured as “5061” but user it can be changed depending upon the requirement.

Creating and Uploading TLS Certificate

By default, VEGA has inbuilt self-signed certificate to ensure secure signalling between VEGA and remote end. But new certificate and keys can be uploaded on to VEGA as per requirement.
There are three different files that can be uploaded on to VEGA with respect to TLS:

  1. VEGA Certificate File

  2. VEGA Key File

  3. CA/Root Certificate File

If CA/Root certificate file is uploaded on to VEGA, VEGA will start verifying the remote end certificate to establish a successful handshake.

Create TLS Certificate

To create TLS certificate, we can use Free version of Simple Authority CA management tool. We can get the same from http://simpleauthority.com/download.html

How to Configure your CA and issue certificate is explained here:
Or we can create TLS certificate using openssl.

 

Important Note

  1. User must upload server certificate file on to vega containing only server certificate within it if provided(we must not bundle any other certificate with server) .

  2. User must upload server key file on to vega containing only key within it if provided

  3. User must upload root file on to vega containing root certificate within it
    Root certificate must be bundled with other intermediate certificate if present/provided by customer (the bundled certificate file must not contain Server certificate or Server Key)

 

Upload Certificate/Key

Option to upload certificate/key on to VEGA with respect to TLS is present within “System Tab” under “Expert Config Section” (i.e. Expert Config -> System -> and edit Upload/Download Files) as show below:

 

Once TLS file is uploaded successfully proper result will be displayed on to VEGA GUI as shown below:

 

Remove TLS Certificate/Key

Option to upload certificate/key on to VEGA with respect to TLS is present within “System Tab” under “Expert Config Section” (i.e. Expert Config -> System -> and edit Upload/Download Files)  as show below:

If there is any certificate uploaded, then only user can remove the file selected from the drop-down list and then remove as shown below:

Once file is successfully remove proper result will be displayed on VEGA GUI as shown below:

NOTE:

  1. VEGA only supports certificate to be uploaded in. pem format

  2. Right now, VEGA does not support upload of TLS certificate per sip profile. It only supports universal/single TLS certificates/Key for all the sip profiles if configured in TLS mode as explained above

  3. Reboot is required for VEGA to use proper TLS certificate/key once file is uploaded/removed

Return to Documentation Home I Return to Sangoma Support