In this section:

Use the TLS Profile to configure a profile for implementing the TLS protocol for SIP over TLS. The TLS profile is associated with a SIP Signling Port.

The settings within the default TLS Profile may be modified. Also, the supported transport protocols must be set to allow SIP over TLS.

 

Command Syntax

% set profiles security tlsProfile <profile name> 
	acceptableCertValidationErrors <invalidPurpose | none>	
	allowedRoles <clientandserver | server> 
	appAuthTimer <1-60 seconds> 
	authClient <false | true> 
	cipherSuite1 <cipher suite> 
	cipherSuite2 <cipher suite> 
	cipherSuite3 <cipher suite> 
	clientCertName <name> 
    handshakeTimer <1-60 seconds> 
	ocspProfileName <name>
	serverCertName <name> 
	sessionResumpTimer <0-86400 seconds>
	suppressEmptyFragments <disabled | enabled>
	v1_0 <disabled | enabled>
    v1_1 <disabled | enabled>
    v1_2 <disabled | enabled>

Command Parameters

The TLS Profile Parameters are as shown below:

Parameter

Length/Range

Description

tlsProfileName

1-23

Name assigned to this Transport Layer Security (TLS) profile.

acceptableCertValidationErrorsN/A

Use this parameter to specify if certificate chain validation errors are acceptable while validating the peer certificate.

  • invalidPurpose 
  • none (default) 

allowedRoles

N/A

Allowed TLS roles for this TLS profile.

  • clientandserver – (default) Choose to select both a TLS client and server role, depending on the request direction. This is primarily for peering applications.
  • server – The  will only be a TLS server. This is primarily for access applications.

appAuthTimer

1-60

The higher layer authentication timer in seconds. (default = 5).

authClient

N/A

Indicates whether or not a TLS client is forced to authenticate itself within TLS. If set to false, the client is not required to authenticate itself at the TLS layer, but must complete authentication within a higher-level protocol after the TLS connection is established (that is, SIP registration).

  • false
  • true (default)

cipherSuite1

N/A

Use this parameter to specify the first TLS Cipher Suite choice for this profile.

See Supported Cipher Suites table below for the list of cipher suites.

cipherSuite2

N/A

Use this optional parameter to specify the second TLS Cipher Suite choice for this profile.

See Supported Cipher Suites table below for the list of cipher suites.

cipherSuite3

N/A

Use this optional parameter to specify the third TLS Cipher Suite choice for this profile.

See Supported Cipher Suites table below for the list of cipher suites.

clientCertName

1-23

The name of the default Client Certificate to be used by this TLS profile, created using the SECURITY PKI configuration object.

handshakeTimer

1-60

The time (in seconds) in which the TLS handshake must be completed. The timer starts when the TCP connection is established. (default = 5)

ocspProfileName1-23

Name of OCSP profile object referenced by TLS profile.

serverCertName

1-23

Specifies the name of the Server Certificate to be used by this TLS profile, created using the SECURITY PKI configuration object.

sessionResumpTimer

0-86400

The TLS session resumption period (in seconds) for which cached sessions are retained. TLS allows successive connections to be created within one TLS session (and the resumption of a session after a TLS connection is closed or after a server card failover) without repeating the entire authentication and other setup steps for each connection, except when the space must be reclaimed for a new session. (default = 3600)

suppressEmptyFragmentsN/A

Enable flag to prevent the SBC from inserting empty fragments when sending packets on TLS over TCP connection in support of older versions of TLS implementation.

  • disabled  (default)
  • enabled
v1_0N/A

TLS protocol version 1.0 (see note below)

  • disabled
  • enabled (default)
v1_1N/A

TLS protocol version 1.1 (see note below)

  • disabled  (default)
  • enabled
v1_2N/A

TLS protocol version 1.2 (see note below)

  • disabled (default)
  • enabled

Command Examples

show profiles security tlsProfile defaultTlsProfile
appAuthTimer       5;
handshakeTimer     5;
sessionResumpTimer 3600;
cipherSuite1       rsa-with-aes-128-cbc-sha;
allowedRoles       clientandserver;
v1_0               enabled;
v1_1               enabled;
v1_2               enabled;

set profiles security tlsProfile defaultTlsProfile ocspProfileName myOcspProfile
commit
 
show profiles security tlsProfile defaultTlsProfile
appAuthTimer       5;
handshakeTimer     5;
sessionResumpTimer 3600;
cipherSuite1       rsa-with-aes-128-cbc-sha;
allowedRoles       clientandserver;
ocspProfileName    myOcspProfile;
v1_0               enabled;
v1_1               enabled;
v1_2               enabled; 
set profiles security tlsProfile TLS-1 v1_2 enabled
set profiles security tlsProfile TLS-1 cipherSuite1 tls_ecdh_ecdsa_with_aes_256_gcm_sha384
commit
 
show profiles security tlsProfile TLS-1
cipherSuite1 tls_ecdh_ecdsa_with_aes_256_gcm_sha384;
v1_2         enabled;