Top
TLS Roles for the Sentinel
The Sentinel supports SIP over TLS. Each signaling interface listens to UDP, TCP, and TLS simultaneously. For TLS mode, it can be set up as a SIP TLS client, a TLS server or both (default).
The Tls mode selected for the Sentinel is configured in the Signaling Interface Configuration table, under the SBC/Configuration
- TLS server:
- Secure communication with remote users
- SIP trunk to remote office (SBC as the hub)
- SIP trunk between SBC (one side to be server)
- TLS Client
- SIP trunk to provider (provider as TLS server)
- Registered SIP user clients to provider
- SIP trunk between SBC (one side to be client)
For more details on Transport Layer Security (TLS), refer to the DGW Configuration Guides - Transport Layer Security document published on the Media5 documentation portal at https://documentation.media5corp.com
Top
Sentinel TLS Support Level
- SSL v3.0 is no longer supported as per version DGW v 46.0.2025
- Default is TLSv1.2 (as a client, it will offer TLSv1.2 first), but during negotiation if the other party does not support TLSv1.2 it can be downgraded to TLS v1.1 or TLS v1.0
- When the Sentinel is used as a TLS server, the Sentinel:
- will accept TLS v1.0, TLS v1.1, or TLS v1.2
- will not ask clients for its certificate, in other words, mutual TLS is not supported in this mode
- When the Sentinel is used as a TLS Client, the Sentinel:
- will accept TLS v1.0, TLS v1.1, or TLS v1.2
- will not ask clients for its certificate, in other words, mutual TLS is not supported in this mode
- if the server asks for the SBC’s own server certificate for mutual TLS, the SBC will comply.
- Ciphers:
- Only SHA-2 types are supported (equivalent to CS3 in Dgw2.0 TLS cipher setting),
- SHA-1 is no longer supported.
- Certificate chain validation is up to 9 levels.
- During the TLS handshake, the SBC will validate the peer’s (server’s) certificate
against its Common Name or Subject Alternate Name. This is the default behavior. This
validation can be bypassed by this
command:
Sbc.CertificateValidation = "NoValidation"
- Unlike other services such as SipEp, which supports an intermediate Validation of “TrustedCertificate”, the Sbc service has no such level. If validation is mandatory, the certificate name must match.
Top
Certificates Required by the Sentinel SBC Used as the TLS Client
All the certificates necessary for TLS when using the Sentinel SBC used as the TLS Client are located under Management/Certificates in the Other Certificates table.
Top
Certificates Required by the Sentinel SBC Used as the TLS Server
To be a TLS server, the Sentinel SBC must be loaded with at least one host certificate. The host certificate can be found under under Management/Certificates in the Host Certificates table.
The Sentinel does not generate its own private key nor CSR (Certificate Signing Request). The certificate is created on another platform. For information on creating Host certificates refer to the Technical Bulletins - Creating a Media5 Device host Certificate with OpenSSL document.
A Sentinel SBC can have multiple host certificates. Their specific usage (or association) is configurable in this section under the same tab:The Sbc box must be checked in order for the SBC service to apply the desired host certificate.
If the host certificate is signed by an intermediate CA certificate, it is recommended to have the intermediate CA certificate in the “Other” section. This way, when the client requests the SBC for the server certificate, the intermediate CA cert will be embedded in the certificate chain. Make sure the host certificate validity period is good. If not, the SBC will not present the host certificate in the TLS handshake and the TLS negotiation will fail.
For more details on Certificates, refer to the Technical Bulletins - Using Trusted CA and Hosted Certificates document published on the Media5 documentation portal at https://documentation.media5corp.com.
Top
Setting the TLS mode used by the Network Interfaces
- In Server mode, the signaling interface is used as a TLS server mode. This mode requires a valid host certificateon the unit.
- In Client mode, the signaling interface is used as a TLS Client, if no host certificate is enabled on the unit, only this mode is enabled.
- In the Both mode, the signaling interface can be used a TLS Server or a TLS Client.
Top
Configuring a Call Agent to Only Use TLS Transport
Use this procedure if TLS trasnport is the only transport type used by the Call Agent. If the Call Agent needs to use multiple Transport types, refer to Configuring a Call Agent to Use TLS and Other Transport Types procedure.
- Go to SBC/Configuration.
- In the Call Agent Configuration table, click lcoated on the same line as the Call Agent that must use TLS.
- In the Configure Call Agent table, from Force Transport selection list, choose TLS.
- Click Save
Top
Configuring a Call Agent to Use TLS and Other Transport Types
- Go to SBC/Rulesets.
-
In the Routing Rulesets table, click
on the same line as the routing ruleset that uses the Call Agent that must use TLS Transport. - Click edit.
- In the Advanced section, check the Force Transport check box.
- From the selection list, choose TLS
Top
Available Documentation
Top
Copyright Notice
Copyright © 2023 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.