From e8380afc8a147ee299c3881423b2e0b27c4cfc0d Mon Sep 17 00:00:00 2001 From: Joshua Colp Date: Thu, 20 Sep 2012 18:27:28 +0000 Subject: Add support for DTLS-SRTP to res_rtp_asterisk and chan_sip. As mentioned on the review for this, WebRTC has moved towards choosing DTLS-SRTP as the mechanism for key exchange for SRTP. This commit adds support for this but makes it available for normal SIP clients as well. Testing has been done to ensure that this introduces no regressions with existing behavior and also that it functions as expected. Review: https://reviewboard.asterisk.org/r/2113/ ........ Merged revisions 373229 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@373234 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- configs/sip.conf.sample | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'configs') diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample index 81ca998d5..6c3df58b3 100644 --- a/configs/sip.conf.sample +++ b/configs/sip.conf.sample @@ -1240,6 +1240,38 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; maxforwards ; encryption ; description ; Used to provide a description of the peer in console output +; dtlsenable +; dtlsverify +; dtlsrekey +; dtlscertfile +; dtlsprivatekey +; dtlscipher +; dtlscafile +; dtlscapath +; dtlssetup +; + +;------------------------------------------------------------------------------ +; DTLS-SRTP CONFIGURATION +; +; DTLS-SRTP support is available if the underlying RTP engine in use supports it. +; +; dtlsenable = yes ; Enable or disable DTLS-SRTP support +; dtlsverify = yes ; Verify that the provided peer certificate is valid +; dtlsrekey = 60 ; Interval at which to renegotiate the TLS session and rekey the SRTP session +; ; If this is not set or the value provided is 0 rekeying will be disabled +; dtlscertfile = file ; Path to certificate file to present +; dtlsprivatekey = file ; Path to private key for certificate file +; dtlscipher = ; Cipher to use for TLS negotiation +; ; A list of valid SSL cipher strings can be found at: +; ; http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS +; dtlscafile = file ; Path to certificate authority certificate +; dtlscapath = path ; Path to a directory containing certificate authority certificates +; dtlssetup = actpass ; Whether we are willing to accept connections, connect to the other party, or both. +; ; Valid options are active (we want to connect to the other party), passive (we want to +; ; accept connections only), and actpass (we will do both). This value will be used in +; ; the outgoing SDP when offering and for incoming SDP offers when the remote party sends +; ; actpass ;[sip_proxy] ; For incoming calls only. Example: FWD (Free World Dialup) -- cgit v1.2.3