AudioCodes Mediant 3000 User Manual page 872
Media gateway & enterprise session border
controller (e-sbc)
Hide thumbs
Also See for Mediant 3000:
- User manual (984 pages) ,
- Installation manual (90 pages) ,
- Hardware installation manual (88 pages)
Table of Contents
Advertisement
Parameter
Peer Host Name
Verification Mode
[PeerHostNameVerificati
onMode]
TLS Client Verify Server
Certificate
[VerifyServerCertificate]
Strict Certificate
Extension Validation
[RequireStrictCert]
TLS Remote Subject
Name
User's Manual
Device acts as a server: The device requires the receipt and
verification of the client certificate to establish the TLS connection.
Notes:
For the parameter to take effect, a device reset is required.
This feature can be configured per SIP Interface (see ''Configuring SIP
Interfaces'' on page 337).
The SIPS certificate files can be changed using the parameters
HTTPSCertFileName and HTTPSRootFileName.
Determines whether the device verifies the Subject Name of a remote
certificate when establishing TLS connections.
[0] Disable (default).
[1] Server Only = Verify Subject Name only when acting as a client for
the TLS connection.
[2] Server & Client = Verify Subject Name when acting as a server or
client for the TLS connection.
When the device receives a remote certificate and the parameter is not
disabled, the IP address from which the certificate is received is
compared with the addresses defined for the Proxy Sets. If no Proxy Set
with the source address is found, the connection is refused. Otherwise,
the value of SubjectAltName field in the certificate is compared with the
addresses\ DNS Names of the classified Proxy Set. If a match is found for
any of the configured Proxies, the TLS connection is established.
The comparison is performed if the SubjectAltName is either a DNS name
(DNSName) or an IP address. If no match is found and the
SubjectAltName is marked as 'critical', the TLS connection is not
established. If DNSName is used, the certificate can also use wildcards
('*') to replace parts of the domain name.
If the SubjectAltName is not marked as 'critical' and there is no match, the
CN value of the SubjectName field is compared with the parameter
TLSRemoteSubjectName. If a match is found, the connection is
established; otherwise, the connection is terminated.
Note: If you set the parameter to [2] (Server & Client), for this functionality
to operate you also need to set the SIPSRequireClientCertificate
parameter to [1] (Enable).
Determines whether the device, when acting as a client for TLS
connections, verifies the Server certificate. The certificate is verified with
the Root CA information.
[0] Disable (default)
[1] Enable
Note: If Subject Name verification is necessary, the parameter
PeerHostNameVerificationMode must be used as well.
Enables the validation of the extensions (keyUsage and
extentedKeyUsage) of peer certificates. This validation ensures that the
signing CA is authorized to sign certificates and that the end-entity
certificate is authorized to negotiate a secure TLS connection.
[0] Disable (default)
[1] Enable
Defines the Subject Name that is compared with the name defined in the
remote side certificate when establishing TLS connections.
If the SubjectAltName of the received certificate is not equal to any of the
872
Description
Document #: LTRT-89730
Mediant 3000
Advertisement
Table of Contents
