In 4.2, it is possible to use TLS for connections through a sipXbridge gateway. This provides encryption and authentication for the external connection between sipXecs and other systems which support TLS. It is also possible to assign permissions to remote TLS peers, so that users of those systems can access internal resources which require permissions.
| Table of Contents |
|---|
Export sipXecs Certificate Authority
...
If the remote system's CA certificate is not installed, then a TLS connection will not be established and calls will be rejected with reason xxxa failure response indicating the low level problem (e.g. "503 ValidatorException: unable to find valid certification path to requested target").
If the remote certificate identity (from the SubjAltName field) does not match the remote system's address, then a TLS connection will not be established and calls will be rejected with reason 5xx "Certificate identity does not match requested domain". In this case, an alarm will be raised stating "The configuration requires the identity '<expected remote identity>', but the remote certificate contains only the following identities: <list of identities in the certificate>". sipXecs requires that remote systems support draft-ietf-sip-domain-certs-04.txt, which recommends that the SIP domain identity be conveyed as a SubjAltName extension of type uniformResourceIdentitier, and that that identity must match the domain to which the request is being sent.