Open Items
Below are items which HMP supports. For each item, it needs to be decided if we want to have similar support for the SR140.
- HMP supports a TLS engine for each virtual board in a system. Do we want to support one TLS engine for an entire system or one for each virtual SR140 module? Depending on whether we support one TLS engine for an entire system or one for each virtual SR140 module will dictate whether we have the same TLS configuration for all the virtual SR140 modules in a system or the option of having different TLS configurations for each virtual SR140 modules in a system. It will also dictate whether TLS is enabled or disabled for all the virtual SR140 modules in a system or the option of enabling or disabling TLS for each virtual SR140 module in a system.
- HMP supports changing the default TLS port number (sip_tls_port). The default port number is 5061.
- HMP supports operation as a TLS server or TLS client.
- HMP supports local RSA certificate/key (local_rsa_private_key_filename, local_rsa_cert_filename, local_rsa_private_key_password) or DSS certificate/key (local_dss_private_key_filename, local_dss_cert_filename, local_dss_private_key_password) when operating as a TLS server. Each virtual board on a HMP system can hold one of each type of certificate/key and the HMP will report the appropriate one to a remote UA depending on the cipher selected during the TLS handshake.
- HMP supports a single certificate chain per virtual board which is appended to both the RSA and DSS certificates. The certificate chain is configured with the number of certificates in the chain and the filename of each certificate in the chain (chain_cert_number, chain_cert_filename). The certificate chain is used if the local certificate is not issued by the roor CA but is issued instead by an intermidiate CA.
- HMP supports CA certificates (ca_cert_number, ca_cert_filename) when operating as a TLS client. The filenames contain the root CA certificates.
- HMP supports local certificates/keys and a certificate chain when operating as a TLS client which needs to support mutual authentication. In this case, the client needs to identify itself to the server.
- HMP supports certificate revocation lists (CRLs) (crl_number, crl_filename). This list is consulted so it can be decided whether the certificate has been revoked when incoming certificates are examined.
- HMP supports configuration of the local cipher suite (local_cipher_suite is a pointer to the formatted string itself rather than the name of the file that contains the string) that is used to negotiate encryption algorithms with the remote UA.
- HMP supports configuration of Diffie-Hellman (D-H) key exchange parameters. There is a 512 bit key parameter (dh_param_512_filename) and a 1024 bit key parameter (dh_param_1024_filename).
- HMP supports server session caching by setting session_id. During a new handshake, if session_id is non-empty the session cache will be searched for a match and a session will be resumed if possible.HMP does not support client session caching since HMP already supports client connection persistency so that multiple calls can share the same TLS connection whenever possible.
- HMP supports mutual authentication. In this case, the TLS server may optionally require client certificate for mutual authentication if client_cert_required is set to true from its default value of false.
- HMP supports blocking of local UDP and/or TCP ports by configuring block_udp_port and/or block_tcp_port. If both UDP and TCP ports are blocked, only the TLS port can be used as a secure port for sending and receiving SIP messages.