A
ASTRA
6700
I
SIP T
ERMINALS
FOR
MX-ONE
86
26/1531-ANF 901 14 Uen E10 2014-01-22
21
Appendix
21.1 Teleworker
with
persistent mutual TLS
(MTLS)
Reference http://en.wikipedia.org/wiki/Transport_Layer_Security
Any TLS will encrypt the SIP signaling to prevent eavesdropping.
However if the simple TLS handshake used in ‘persistent TLS’ is used
only the server is authenticated by its certificate (this is the method used
in chapter 19.5 “How to enable security for home worker on Aastra
6700i”). In a client-authenticated TLS handshake (also referred to as
mutual TLS), the server will request to authenticate the client based on
its certificate as well. In ‘Persistent mutual TLS’ the client will make a
client-authenticated TLS handshake and the TLS session is kept by the
client as long as the phone is registered (logged on).
Why would you do the effort to create both server certificate and client
certificate? The SBC who is the access point for traffic from a teleworker
(perhaps working from home) and is configured to do ‘client-authenti-
cated TLS’ will only allow clients (phones) which offers the expected
client certificate in the handshake. So this is a way to block unwanted
registration attempts early. If a registration reaches the MX-ONE, the
only check would be to require a password for the registering directory
number, which is recommended anyway. Also check the SBC manual
for other ways to block/allow traffic.
21.1.1
Create persistent MTLS using a Enterprise CA (openssl)
to sign both server and client certificate and configure the
SBC
Prerequisites using openssl on the linux server acting as Enterprise CA.
In this example you will sign certificates. Be careful with the root pass-
word to this server as the CAcan sign any TLS Request. This chapter will
show how to sign certificates.
In a shell do the following. (Note that this is an example. Use your own
passwords).
As root do:
>cd /etc/pki (or wherever the certs should live)
>mkdir sbc
>cd sbc
>mkdir private
>chmod 0700 private
>echo “01” > serial
