DBC 422
AND
DBC 425
55
1531-DBC 422 02 Uen B3 2013-12-02
7.21.1
Protection of VoIP signalling
The signalling between the DBC 42x 02 IP phones and the gatekeeper
is protected by means of TLS (Transport Layer Security) according to
RFC 2246.
The TLS protection affects the registration and the call handling. Multi-
cast traffic (automatic gatekeeper discovery) is not protected.
The TLS server (gatekeeper) makes use of a digital certificate to authen-
ticate itself towards the terminal. The terminal authenticate themselves
by means of the password (ordinary password to register towards the
gatekeeper) sent in the RAS/RRQ message.
TCP port 3727 is used for RAS over TCP.
TCP port 1300 is used for Secure Call Setup. For more information 7.18
Selection of transport address (port numbers) on page 49.
The cipher suite TLS_RSA_WITH_AES_128_CBC_SHA defined in
RFC 3268 is used.
TLS is not supported on top of UDP. In order to support TLS protection
of the RAS messages these are sent over a TCP connection, opened by
the IP phone, after a TLS connection has been set up.
The TLS support can be enabled/disabled from the configuration file,
see the description for
CONFIGURATION FILE FOR DBC 42X
.
7.21.1.1 Certificates
The digital certificates are in X.509 version 3 format with the file exten-
sion
.pem
. For more detailed information about creating the certificate,
see
operational directions for Certificate Management
in the CPI library.
In order for the phone to be able to authenticate the server, the phone
has a certificate repository with a number of root certificates or trusted
certificates (see the table below). These are included in the IP phone
firmware in the factory.
It is also possible to add another root certificates beside these by reading
in the file with the certificate from the software server. The file must be
stored under the folder
/certificates/H323
, see section 7.9.3 Directory
structure on page 25. The path to the certificate file is specified in the
configuration file.
Table 5 X.509 root certificates to support TLS server authentication
Certificate Authority
Comment
Baltimore
Entrust
md5WithRSAEncryption