Revision as of 07:12, February 14, 2023 by Xavier (talk | contribs) (SEPSDK-2962)
Jump to: navigation, search

Configuring secure connections (TLS) for SIP

TLS support in Genesys SIP Endpoint SDK and Softphone for Windows uses Genesys Common Library implementation that relies on Microsoft Secure Channel (a part of Windows operating system). To configure TLS support, you need to configure the OS-level settings using standard Windows tools and follow Microsoft recommendations. SDK-specific settings include configuring the client-side certificate for Mutual TLS and controlling target host name verification.

TLS certificates (including private keys) and CA certificates are stored in Windows certificate storage, which is supported by Genesys Common Library for both user and system level storage. A configured certificate is first searched for in the user-level storage and then in the system-level storage. For more details on accessing and managing certificate storage and setting up a working TLS environment, refer to Managing Certificates using MMC on Windows. To ensure a functional TLS environment, system administrators must make sure that the Certificate Relocation List referenced in the server-side certificate is accessible for all client workstations.


Connection to SIP Server (either direct or via SIP Proxy or SBC) is secured by setting 'protocol' parameter to TLS in the corresponding Connectivity element of Basic container in the SIP Endpoint SDK configuration file:

To set up a secure connection to the SIP Server, you must set the 'protocol' parameter to TLS in the corresponding Connectivity element of the Basic container in the SIP Endpoint SDK configuration file. 

<Connectivity user="{dn}" server="{server:port}" protocol="TLS"/>


For Mutual TLS, you should also specify the certificate option referring to the thumbprint of the client-side certificate. If you leave this option empty, only simple TLS will be used for outgoing TLS connections, and incoming TLS connections will not be possible. However, in most deployments, this is not an issue since the Genesys SIP Server, SIP Proxy, and supported SBCs reuse client-originated TLS connection by default and do not try to open another TLS connection for delivering incoming SIP messages.

Important

All TLS configuration settings for securing SIP connection are located in system.security section.


See certificate and tls-target-name-check additional information.

Comments or questions about this documentation? Contact us for support!