Tls Examples - Dialogic DMG1000 User Manual

number other than the default, specify the number. The Media Gateway will then communicate
this number to peers via URI.
TLS Cipher List - The Cipher list is not a configurable parameter. The Media Gateway
•
supports 6 ciphers in a list but cannot be changed. Valid OpenSSL ciphers can be found at:
http://www.openssl.org/docs/apps/ciphers.html
A default cipher list must be specified for TLS to work. The Media Gateway uses the default:
ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH.
SSL TLS Protocol - This parameter specifies the SSL record type to be used with the TLS
•
connections and can be set to use SSLv3 and/or TLSv1.
• Mutual Authentication Required - Mutual Authentication Required. This parameter should be
set to 'Yes' if the user wants the Media Gateway to authenticate the VoIP endpoint that it is
communicating with when the VoIP endpoint initiates a SIP session. Otherwise, this parameter
can be set to 'No'.
• TLS Inactivity Timer - This will determine when to close a TLS port. Any number between 10
to 60000 milliseconds is valid.
• SIPS URI Scheme Enabled - Selects the URI scheme, SIP or SIPS, that the Media Gateway
will use for outgoing SIP call-requests. This may be limited by the capability of the other party
that the Media Gateway communicates with. The Media Gateway accepts both SIP and SIPS
URI schemes.
• Verify TLS Peer Certificate Date - If enabled, the peer certificate date is verified to detect if the
peer certificate has expired. If so, the call request will be rejected. This indicates whether or
not the certificate date is verified. Enable this feature if you want to detect expired certificates.
Otherwise, keep it disabled. This feature will work correctly only if a SNTP server is available.
Verify TLS Peer Certificate Trust - This indicates whether or not a certificate trust is verified.
•
A certificate trust is the identity that signs the certificates. If the Media Gateway only accepts
certificates signed by certain CA, then the Media Gateway compares the trust on a certificate
to its trust list. If the trust is found in the list then the verification will pass. Enable this feature
to increase security. However, if the other party that the Media Gateway communicates with is
not capable of generating a trust, this feature must be disabled to avoid verification failure. You
may also leave this feature disabled if encrypting data is sufficient.
7.3.3

TLS Examples

The following examples show how the Media Gateway should be configured for using TLS.
Example 1:
Assume the Media Gateway is talking to an IP phone that requires TLS and supports SIPS URI.
The Media Gateway can be configured as follows:
• SNTP Server IP Address: Leave blank
• TLS Inactivity Timer: Use default value
• TLS Server port: Use default value
SIPS URI Scheme Enable: Yes
•
• Cipher List: Use default value
®
Dialogic 1000 and 2000 Media Gateway Series User's Guide — September 2007
Dialogic Corporation
Data Security
175