Hello Ajish, On Tues., Jan. 30, 2013, Ajish ZACHARIAS wrote: >hai i want to develop VoIP application actually in that i want implement >tls on it . iam using opensips 1.4. i want to know how i can generate >certificate. and lso i want can i use propery algorithms in TLs. If i >possible kindly tell to me how to integrate properity algorithms in TlS > I know that it's no answer to your question, but wouldn't it be sensible to use a more modern release of OpenSIPS? 1.4 is quite old, and there have been quite some improvements and corrections to the TLS transport since then.
In any case, I'm using the TLS transport almost exclusively with OpenSIPS 1.7.2 (which is old also) and it works well. I made the certificate request like this: $ openssl req -nodes -days 1460 -new -newkey rsa:4096 -keyout hostname-rsa-4096-key.pem -out hostname-rsa-4096-csr.pem ...but I would recommend that you start with a 1024 bit cert (replace 4096 with 1024 in the command) since some devices (telephones) can't exchange 4096 bit keys. You also might want to adjust the '-days' parameter to suit your needs. If you upgrade to a newer OpenSIPS (maybe 1.6 or newer) then you have access to the following: $ sudo opensipsctl tls ...which might be easier for you to use. Then either sign the certifigate request 'hostname-rsa-4096-csr.pem with your own certificate authority root cert (see OpenSSL docs about this) or upload it to a foreign certificate authority to sign. Then use the certificate that the CA returns like this: disable_tls = 0 tls_method = TLSv1 tls_ciphers_list = "HIGH:MEDIUM:!ADH" # openssl ciphers -v HIGH:MEDIUM tls_certificate = "hostname-rsa-4096-crt.pem" tls_private_key = "hostname-rsa-4096-key.pem" tls_ca_list = "public-ca.crt.pem" listen = udp:sip.myhostname.com:5060 listen = tcp:sip.myhostname.com:5060 listen = tls:sip.myhostname.com:5061 That's a good enough start. Try it out and report how far you get. Regards, Michael _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
