Inspecting SIP over SSL/TLS (secure SIP)
Some SIP phones and SIP servers can communicate using SSL or TLS to encrypt the SIP signalling traffic. To allow SIP over SSL/TLS calls to pass through the FortiGate unit, the encrypted signalling traffic has to be unencrypted and inspected. To do this, the FortiGate SIP ALG intercepts and unencrypts and inspects the SIP packets. The packets are then re-encrypted and forwarded to their destination.
Normally SIP over SSL/TLS uses port 5061. You can use the following command to change the port that the FortiGate listens on for SIP over SSL/TLS sessions to port 5066:
config system settings set sip-ssl-port 5066
end
The SIP ALG supports full mode SSL/TLS only. Traffic between SIP phones and the FortiGate unit and between the FortiGate unit and the SIP server is always encrypted.
You enable SSL/TLS SIP communication by enabling SSL mode in a VoIP profile. You also need to install the SIP server and client certificates on your FortiGate unit and add them to the SSL configuration in the VoIP profile.
SIP over SSL/TLS between a SIP phone and a SIP server
SIP Phone
SIP server
TCP session established between SIP phone and SIP server
TCP SYNC TCP SYNC ACK
TCP ACK
SSL/TLS session established between SIP phone and FortiGate unit
TLS ClientHello
TLS Handshake Messages
TLS Finished
SIP Phone sends a secure REGSTER message to the FortiGate unit
SSL/TLS session established between FortiGate unit and SIP Server
TLS ClientHello
TLS Handshake Messages
TLS Finished
The FortiGate unit decrypts the REGSTER message, inspects it, re-encrypts it, and forwards it to the SIP server
The FortiGate unit decrypts the 200 OK response, inspects it, re-encrypts it, and forwards it to the phone
6. The SIP server sends a secure 200 OK response to the SIP Phone
Other than enabling SSL mode and making sure the security policies accept the encrypted traffic, the FortiGate configuration for SSL/TLS SIP is the same as any SIP configuration. SIP over SSL/TLS is supported for all supported SIP configurations.
Adding the SIP server and client certificates
A VoIP profile that supports SSL/TLS SIP requires one certification for the SIP server and one certificate that is used by all of the clients. Use the following steps to add these certificates to the FortiGate unit. Before you start, make sure the client and server certificate files and their key files are accessible from the management computer.
1. Go to System > Certificates and select Import.
2. Set Type to Certificate.
3. Browse to the Certificate file and the Key file and select OK.
4. Enter a password for the certificate and select OK.
The certificate and key are uploaded to the FortiGate unit and added to the Local Certificates List.
5. Repeat to upload the other certificate.
The certificates are added to the list of Local Certificates as the filenames you uploaded. You can add comments to make it clear where its from and how it is intended to be used.
Adding SIP over SSL/TLS support to a VoIP profile
Use the following commands to add SIP over SSL/TLS support to the default VoIP profile. The following command enables SSL mode and adds the client and server certificates and passwords, the same ones you entered when you imported the certificates:
config voip profile edit default
config sip
set ssl-mode full
set ssl-client-certificate “Client_cert” set ssl-server-certificate “Server_cert” set ssl-auth-client “check-server”
set ssl-auth-server “check-server-group” end
end
Other SSL mode options are also available:
ssl-send-empty-frags {disable | enable}
Enable to send empty fragments to avoid CBC IV attacks. Com- patible with SSL 3.0 and TLS 1.0 only. Default is enable.
ssl-client-renegotiation {allow | deny | secure}
Control how the ALG responds when a client attempts to rene- gotiate the SSL session. You can allow renegotiation or block sessions when the client attempts to renegotiate. You can also select secure to reject an SSL connection that does not sup- port RFC 5746 secure renegotiation indication. Default is allow.
ssl-algorithm {high | low | medium}
Select the relative strength of the algorithms that can be selec- ted. You can select high, the default, to allow only AES or
3DES, medium, to allow AES, 3DES, or RC4 or low, to allow AES, 3DES, RC4, or DES.
ssl-pfs {allow | deny | regqure}
Select whether to allow, deny, or require perfect forward secrecy (PFS). Default is allow.
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1}
Select the minimum level of SSL support to allow. The default is ssl-3.0.
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1}
Select the maximum level of SSL support to allow. The default is tls-1.1.