HP-UX C SIP Stack Programmer's Guide (Novembery 2007)
Working with the Transport Layer 313
SIP Stack and TLS
Phase 1: TCP connection establishment—as stated above,
TLS uses TCP as its underlying transport protocol. Therefore, a
TLS handshake can start only after a TCP connection has
reached the CONNECTED state.
Phase 2: TLS handshake—the basic TLS handshake process
consists of several TCP messages which go from client to server
and from server to client, in which the client retrieves the
server’s certificate, verifies it, negotiates an encryption key and
algorithm for the session, and both parties make sure that the
security of the handshake has not been compromised. For more
information on the TLS handshake see RFC 2246 and
RFC 3546.
Phase 3: Post connection assertion—In this phase, the client
makes sure that the certificate handed to it by the server does
indeed belong to server. This step is taken to prevent the
situation in which a server named malise.com will present a
valid certificate of someonelse.com.
After these phases have been completed, encrypted messages can be transmitted
on the connection in a secure manner.
TLS AND SIP RFC 3261 defines the use of TLS as a transport mechanism by using the “sips:”
scheme. When using the “sips:” scheme in a URI—or any other header that
indicates the next hop of a message, such as Route, Via, and so on—RFC 3261
mandates the transport to be TLS. (For this reason TLS will not guarantee a
secure delivery end-to-end, but only to the next hop).
SIP STACK AND
TLS
The SIP Stack uses an open source library called “openSSL” that provides TLS
and encryption services. For more information about openSSL, see the openSSL
project website at http://www.openssl.org.
To compile the SIP Stack with TLS, use the RV_TLS_ON compilation flag.
(When compiling on UNIX systems, you can use the tls=on compilation line
parameter).
TLS STACK OBJECTS The TLS uses TLS engine objects and TLS connections to allow sending
messages with TLS transport.