Difference between revisions of "M4 TLS"

From Kolmisoft Wiki
Jump to navigationJump to search
 
(One intermediate revision by the same user not shown)
Line 7: Line 7:
<br/>
<br/>


==Generating a self-signed private key and certificate==
==Generating a private key and self-signed certificate==
To generate a self-signed private key and certificate, execute the following commands on Kamailio server:
To generate a private key and self-signed certificate, execute the following commands on Kamailio server:


  cd /usr/src/kamailio/src/modules/tls
  cd /usr/src/kamailio/src/modules/tls
Line 25: Line 25:
  kamailio_tls_private_key = /path/to/private.key
  kamailio_tls_private_key = /path/to/private.key
  kamailio_tls_certificate = /path/to/certificate.crt
  kamailio_tls_certificate = /path/to/certificate.crt
  kamailio_tls_method = TLSv1.1+
  kamailio_tls_method = TLSv1.2+


''If these settings are not present in /etc/m2/system.conf, add them manually.''
''If these settings are not present in /etc/m2/system.conf, add them manually.''
Line 40: Line 40:
* TLSv1.2+ - TLSv1.2 or newer (TLSv1.3, ...) connections are accepted.
* TLSv1.2+ - TLSv1.2 or newer (TLSv1.3, ...) connections are accepted.
* TLSv1.2 - only TLSv1.2 connections are accepted.
* TLSv1.2 - only TLSv1.2 connections are accepted.
* TLSv1.1+ - TLSv1.1 or newer (TLSv1.2, ...) connections are accepted.
* TLSv1.1 - only TLSv1.1 connections are accepted.
* TLSv1+ - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...) connections are accepted.
* TLSv1 - only TLSv1 (TLSv1.0) connections are accepted.


<br/>
<br/>

Latest revision as of 17:35, 11 December 2024

Description

M4 supports TLS connections to encrypt signaling (SIP) traffic. To enable this feature, you need to configure Kamailio with a valid private key and certificate.
By default, TLS connections are established on port 5061. This guide will walk you through the process of configuring TLS for your M4 server.

Setup

To use TLS, a private key and certificate must be set up on the server side (M4 server) where Kamailio is running.

Generating a private key and self-signed certificate

To generate a private key and self-signed certificate, execute the following commands on Kamailio server:

cd /usr/src/kamailio/src/modules/tls
make install-tls-cert

This will install a private key and certificate in:

/usr/local/etc/kamailio/kamailio-selfsigned.key
/usr/local/etc/kamailio/kamailio-selfsigned.pem

Kamailio configuration

TLS settings for Kamailio are defined in /etc/m2/system.conf

# Kamailio TLS settings
kamailio_tls_enabled = 0
kamailio_tls_private_key = /path/to/private.key
kamailio_tls_certificate = /path/to/certificate.crt
kamailio_tls_method = TLSv1.2+

If these settings are not present in /etc/m2/system.conf, add them manually.

  • kamailio_tls_enabled - should TLS be enabled in Kamailio? 1 - yes, 0 - no.
  • kamailio_tls_private_key - path to private key.
  • kamailio_tls_certificate - path to certificate.
  • kamailio_tls_method - TLS method (see possible values below).

TLS methods:

  • TLSv1.3+ - TLSv1.3 or newer (TLSv1.3, ...) connections are accepted.
  • TLSv1.3 - only TLSv1.3 connections are accepted.
  • TLSv1.2+ - TLSv1.2 or newer (TLSv1.3, ...) connections are accepted.
  • TLSv1.2 - only TLSv1.2 connections are accepted.


After TLS settings are configured in /etc/m2/system.conf, run Kamailio configure script:

/usr/src/m4/kamailio/kamailio_cfg_update.sh

Kamailio restart is required after changing these settings:

systemctl restart kamailio

Allowing TLS connections

To allow TLS connections for specific Origination Point, enable TLS transport protocol in Origination Point Authentication settings (advanced authentication settings).

Op tls.png

Sending TLS calls

To send calls using TLS transport protocol, set TLS in Termination Point Signaling settings.

Tp tls.png