Filter
Top Products
Advanced Operational Features
41-001343-02 REV04 – 05.2014 6-17
TLS is composed of two layers: the TLS Record Protocol and the TLS handshake protocol. The TLS Record Protocol provides
connection security with some encryption method such as the Data Encryption Standard (DES). The TLS Handshake Proto-
col allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic
keys before data is exchanged. TLS requires the use of the following security certificate files to perform TLS handshake:
• Root and Intermediate Certificates
• Local Certificate
• Private Key
• Trusted Certificate
When the phones use TLS to authenticate with the server, each individual call must setup a new TLS connection. This can
take more time when placing each call. Thus, the IP phones also have a feature that allows you to setup the connection to
the server once and re-use that one connection for all calls from the phone. It is called Persistent TLS. The setup connec-
tion for Persistent TLS is established during the registration of the phone. If the phones are set to use Persistent TLS, and a
call is made from the phone, this call and all subsequent calls use the same authenticated connection. This significantly
reduces the delay time when placing a call.
On the IP phones, an Administrator can configure TLS and Persistent TLS on a global-basis only, using the configuration
files or the Aastra Web UI.
There is a keep-alive feature for persistent TLS connections only. Administrators can configure this keep-alive feature using
the parameter called “sip persistent tls keep alive”. When this feature is configured, the phone will send keep-alive pings
to the proxy server at configured intervals. The keep-alive feature for persistent TLS connections performs the following
functionalities:
• After a persistent TLS connection is established or re-established, activate the keep-alive, which will send CRLF to peer
periodically.
• The phone will retry the connection automatically when a persistent TLS connection is down.
• When a persistent TLS connection is re-established (primary is up or primary is down and backup is up), refresh registra-
tion of the accounts associated with the connection.
• When a persistent TLS connection to primary is down, switch to backup if connection to backup is working.
Additionally the “sip send sips over tls” parameter allows administrators the ability to manually configure the IP phones
to use either the SIP or SIPS URI scheme when TLS or persistent TLS is enabled. Disabling the “sip send sips over tls”
parameter (i.e. defining the parameter as “0” in the configuration files) ensures the IP phones use the SIP URI scheme when
TLS or persistent TLS is enabled. Enabling the parameter (i.e. defining the parameter as “1”) ensures the phones use the
SIPS URI scheme in such scenarios. The SIPS URI scheme is used by default.
Notes:
• There can be only one persistent TLS connection created per phone.
• If you configure the phone to use Persistent TLS, you must also specify the Trusted Certificate file to use. The Root and
Intermediate Certificates, Local Certificate, and Private Key files are optional.