Tls Parameters; A.4.4 Tls Parameters - AudioCodes Mediant 3000 User Manual

A.4.4

TLS Parameters

The Transport Layer Security (TLS) parameters are described in the table below.
Parameter
Web/EMS: TLS Version
[TLSVersion]
Web: TLS Client Re-Handshake
Interval
EMS: TLS Re Handshake Interval
[TLSReHandshakeInterval]
Web: TLS Mutual Authentication
EMS: SIPS Require Client
Certificate
[SIPSRequireClientCertificate]
Web/EMS: Peer Host Name
Verification Mode
[PeerHostNameVerificationMode]
SIP User's Manual
Table A-23: TLS Parameters
Determines the supported versions of SSL/TLS (Secure Socket
Layer/Transport Layer Security.

[0] SSL 2.0-3.0 and TLS 1.0 = SSL 2.0, SSL 3.0, and TLS
1.0 are supported (default).

[1] TLS 1.0 Only = only TLS 1.0 is used.
When set to 0, SSL/TLS handshakes always start with SSL 2.0
and switch to TLS 1.0 if both peers support it. When set to 1,
TLS 1.0 is the only version supported; clients attempting to
contact the device using SSL 2.0 are rejected.
Note: For this parameter to take effect, a device reset is
required.
Defines the time interval (in minutes) between TLS Re-
Handshakes initiated by the device.
The interval range is 0 to 1,500 minutes. The default is 0 (i.e.,
no TLS Re-Handshake).
Determines the device's behavior when acting as a server for
TLS connections.

[0] Disable = The device does not request the client
certificate (default).

[1] Enable = The device requires receipt and verification of
the client certificate to establish the TLS connection.
Notes:

For this parameter to take effect, a device reset is required.

The SIPS certificate files can be changed using the
parameters HTTPSCertFileName and
HTTPSRootFileName.
Determines whether the device verifies the Subject Name of a
remote certificate when establishing TLS connections.

[0] Disable = Disable (default).

[1] Server Only = Verify Subject Name only when acting as
a server for the TLS connection.

[2] Server & Client = Verify Subject Name when acting as a
server or client for the TLS connection.
When a remote certificate is received and this parameter is not
disabled, the value of SubjectAltName is compared with the list
of available Proxies. If a match is found for any of the
configured Proxies, the TLS connection is established.
The comparison is performed if the SubjectAltName is either a
DNS name (DNSName) or an IP address. If no match is found
and the SubjectAltName is marked as 'critical', the TLS
connection is not established. If DNSName is used, the
certificate can also use wildcards ('*') to replace parts of the
domain name.
If the SubjectAltName is not marked as 'critical' and there is no
match, the CN value of the SubjectName field is compared with
the parameter TLSRemoteSubjectName. If a match is found,
the connection is established. Otherwise, the connection is
580
Description
Document #: LTRT-89712
Mediant 3000