[SIPForum-discussion] Regarding TLS using SIP

Thu Jan 28 18:10:22 UTC 2010

On Thu, Jan 28, 2010 at 12:01 AM, baslingappa bhujang
<basling99 at gmail.com> wrote:
> Hi All,
> Could some one tell me how TLS works with sip protocol.

Its just like SIP over TCP except that the underlying protocol is TLS.

TLS is a secure transport layer built on top of TCP. It requires a
public/private key pair. The server encrypts traffic in the private
key and distributes its public key to clients so that clients may
decrypt it and verify that the server signed it. This guards against
spoofing. The public key may either be installed manually or, if you
have a public key that has been signed by a trusted Certifcate
Authority, then the server may just hand out the public key that has
been signed by the CA and expect that the client will contact the
trusted CA for verification. (i.e. authentication). So to do
authentication in the TLS framework, you need to have access to the
public key that was exchanged so you may verify that it was indeed
issued by the server. In general you can have a chain of CA's.
All of this is basic SSL / TLS .

The point is that SIP over TLS is completely oblivious to all of this.
The SIP protocol itself never sees it. The only thing is that as it is
running as an application layer protocol, TLS requires a new port (
different from TCP ). Usually that port is 5061 but it does not have
to be. Further, the stack needs to have mechanism to hand over the
public key to the "application" for verification.

There is also sips URL vs. sip over TLS. sips URLs are expected to
have end to end encryption whereas sip over tls ( with transport=tls)
have only hop by hop encryption requirements.

Regards,

Ranga
>
> --
> Thanks,
> Basling.
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>

-- 
M. Ranganathan