Fortinet black logo

Handbook

Adding SIP over SSL/TLS support to a VoIP profile

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:278694
Download PDF

Adding SIP over SSL/TLS support to a VoIP profile

Use the following commands to add SIP over SSL/TLS support to the default VoIP profile. The following command enables SSL mode and adds the client and server certificates and passwords, the same ones you entered when you imported the certificates:

config voip profile

edit default

config sip

set ssl-mode full

set ssl-client-certificate "Client_cert"

set ssl-server-certificate "Server_cert"

set ssl-auth-client "check-server"

set ssl-auth-server "check-server-group"

end

end

Other SSL mode options are also available:

ssl-send-empty-frags {disable | enable} Enable to send empty fragments to avoid CBC IV attacks. Compatible with SSL 3.0 and TLS 1.0 only. Default is enable.
ssl-client-renegotiation {allow | deny | secure} Control how the ALG responds when a client attempts to renegotiate the SSL session. You can allow renegotiation or block sessions when the client attempts to renegotiate. You can also select secure to reject an SSL connection that does not support RFC 5746 secure renegotiation indication. Default is allow.
ssl-algorithm {high | low | medium} Select the relative strength of the algorithms that can be selected. You can select high, the default, to allow only AES or 3DES, medium, to allow AES, 3DES, or RC4 or low, to allow AES, 3DES, RC4, or DES.
ssl-pfs {allow | deny | regqure} Select whether to allow, deny, or require perfect forward secrecy (PFS). Default is allow.
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1} Select the minimum level of SSL support to allow. The default is ssl-3.0.
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1} Select the maximum level of SSL support to allow. The default is tls-1.1.

Adding SIP over SSL/TLS support to a VoIP profile

Use the following commands to add SIP over SSL/TLS support to the default VoIP profile. The following command enables SSL mode and adds the client and server certificates and passwords, the same ones you entered when you imported the certificates:

config voip profile

edit default

config sip

set ssl-mode full

set ssl-client-certificate "Client_cert"

set ssl-server-certificate "Server_cert"

set ssl-auth-client "check-server"

set ssl-auth-server "check-server-group"

end

end

Other SSL mode options are also available:

ssl-send-empty-frags {disable | enable} Enable to send empty fragments to avoid CBC IV attacks. Compatible with SSL 3.0 and TLS 1.0 only. Default is enable.
ssl-client-renegotiation {allow | deny | secure} Control how the ALG responds when a client attempts to renegotiate the SSL session. You can allow renegotiation or block sessions when the client attempts to renegotiate. You can also select secure to reject an SSL connection that does not support RFC 5746 secure renegotiation indication. Default is allow.
ssl-algorithm {high | low | medium} Select the relative strength of the algorithms that can be selected. You can select high, the default, to allow only AES or 3DES, medium, to allow AES, 3DES, or RC4 or low, to allow AES, 3DES, RC4, or DES.
ssl-pfs {allow | deny | regqure} Select whether to allow, deny, or require perfect forward secrecy (PFS). Default is allow.
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1} Select the minimum level of SSL support to allow. The default is ssl-3.0.
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1} Select the maximum level of SSL support to allow. The default is tls-1.1.