Dialogic 05-2239-009 IP Phone User Manual


 
299
Dialogic Corporation
Configuring Diffie-Hellman (D-H) Key Exchange Parameters
In order to perform a Diffie-Hellman (D-H) key exchange the server must use a D-H group (D-H
parameters) and generate a D-H key. As TLS server, Global Call always generates a new D-H key
during the negotiation. dh_param_512_filename should points to a PEM-format file that contains
D-H parameters with 512-bit key, and dh_param_1024_filename should points to a PEM-format
file that contains D-H parameters with 1024-bit key. If the application does not provide D-H
parameters, Global Call uses the pre-built default D-H parameters for D-H key exchange ciphers.
Note that the non-ephemeral D-H modes are currently unimplemented in OpenSSL because there
is no support for D-H certificates.
Configuring Server Session Caching
An application may optionally enable server session caching by setting session_id string. If the
string is set, Global Call enables session caching on server side and supplies a session identifier to
the client during handshake. During a new handshake, if session_id in ClientHello is non-empty,
Global Call looks up the session cache for a match and resumes a session if possible. Server session
cache terminates when Global Call closes. The session timeout is not configurable and is set at 300
seconds.
The default value of session_id is NULL, and in this case the server returns an empty session_id to
indicate that the session will not be cached and therefore cannot be resumed.
Note that client session caching is not supported in Global Call because Global Call already
supports client connection persistency (see Section 4.24.2.3, “Configuring TCP/TLS Persistence in
IP_VIRTBOARD”, on page 302) so that multiple calls can share the same TLS connection
whenever possible. Server session caching may provide a benefit to remote UA which does not
support client connection persistency and wishes to re-establish TLS connection every time and
resume TLS session if possible.
Setting the Mutual Authentication Option
The E_client_cert_required field determines whether or not the Dialogic
®
Global Call API library
will require the client to present its certificate for mutual authentication during a TLS handshake
when the library is acting as TLS server. If the client fails to present its certificate or if the
certificate verification fails, the TLS handshake will fail. Mutual authentication is only required if
the application sets this field to the value ENUM_Enabled; the default value is ENUM_Disable.
Setting the Insecure Port Blocking Options
To prevent downgrade attack, Global Call allows applications to optionally block the local UDP
and/or TCP ports by configuring the block_udp_port and block_tcp_port fields in
SIP_TLS_ENGINE. When either port is blocked, both send and receive on that port are disabled
and the application may not make calls or receive calls on that port. If both the UDP and TCP ports
are blocked, only the TLS port (the default TLS port is 5061) can be used as the secure port for
sending and receiving SIP messages.