Adding SIP over SSL/TLS support to a VoIP profile
Use the following commands to add SIP over SSL/TLS support to the default VoIP profile. The following command enables SSL mode and adds the client and server certificates and passwords, the same ones you entered when you imported the certificates:
config voip profile
edit default
config sip
set ssl-mode full
set ssl-client-certificate "Client_cert"
set ssl-server-certificate "Server_cert"
set ssl-auth-client "check-server"
set ssl-auth-server "check-server-group"
end
end
Other SSL mode options are also available:
ssl-send-empty-frags {disable | enable}
|
Enable to send empty fragments to avoid CBC IV attacks. Compatible with SSL 3.0 and TLS 1.0 only. Default is enable . |
ssl-client-renegotiation {allow | deny | secure}
|
Control how the ALG responds when a client attempts to renegotiate the SSL session. You can allow renegotiation or block sessions when the client attempts to renegotiate. You can also select secure to reject an SSL connection that does not support RFC 5746 secure renegotiation indication. Default is allow . |
ssl-algorithm {high | low | medium}
|
Select the relative strength of the algorithms that can be selected. You can select high , the default, to allow only AES or 3DES, medium , to allow AES, 3DES, or RC4 or low , to allow AES, 3DES, RC4, or DES. |
ssl-pfs {allow | deny | regqure}
|
Select whether to allow , deny , or require perfect forward secrecy (PFS). Default is allow . |
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}
|
Select the minimum level of SSL support to allow. The default is ssl-3.0 . |
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}
|
Select the maximum level of SSL support to allow. The default is tls-1.1 . |