TLS only allows SIP entities to authenticate servers to which they are adjacent to. Establishing a TLS connection authenticates both transport endpoints but does not authenticate the SIP messages flowing through the link. For example, two proxies may carry traffic between them over TLS but this does not stop a malicious gateway from injecting suspect SIP traffic in either end of the TLS link. SIPS can be used to ensure that TLS is maintained for all hops carrying SIP messages, therefore reducing the risk of such an attack. SIPS is enabled/disabled in the the SIP Profile - SGPSIP Advanced Settings.
- The IMG 2020 supports SSLv3 and TLSv1.2.
- TLS is supported only over TCP and requires a separate port. The default port is 5061 and is configurable in the SIP Signaling object.
- The IMG 2020 SIPS protocol supports 128 Bits Encryption only. Different than HTTPS where 256 Bits Encryption is also supported.
- A Certificate Database is created and uploaded to the IMG 2020.
- The IMG 2020 will allow a maximum of 16 Trust ID's or Certificate Entries
- TLS is also supported on the IMG 2020's virtual IP addresses
- The IMG 2020 supports X.509 certificates only and supports a maximum depth of CA certificates during certificate verification to four.
- The use of certificates requires that the clock on the IMG 2020 be synchronized with the network time to ensure proper validation of certificates. To configure clock see Configure SNTP.
- CRL (Certificate Revocation Lists) are not supported.
- SNMP or MIB requirements are not supported.
- DNS or ENUM lookups of NAPTR/SVR records containing SIP URI's is not supported.