wiki:TLS

Configuring PJSIP with TLS

Moved to https://docs.pjsip.org/en/latest/specific-guides/security/ssl.html

Requirements

The TLS support in PJSIP requires OpenSSL development kit (headers and libs) to be installed. Please follow the following guide below for more info on how to install OpenSSL for each platform:

Build PJSIP with TLS Support

SIP TLS transport is implemented based on the new PJLIB secure socket abstraction, and its availability is based on PJ_HAS_SSL_SOCK macro value. For autoconf build system, the value is automatically detected based on OpenSSL availability. For other platforms such as Windows and Symbian, please declare this in your config_site.h: 

#define PJ_HAS_SSL_SOCK 1

Note:

  • The PJSIP_HAS_TLS_TRANSPORT default value will be set to PJ_HAS_SSL_SOCK setting.
  • For PJSIP version prior to 1.5, where the macro PJ_HAS_SSL_SOCK has not been introduced yet, it is PJSIP_HAS_TLS_TRANSPORT macro that have to be set in the config_site.h.

Running pjsua as TLS Server

  1. You will need specify a TLS certificate, represented by three PEM files:
    1. The root certificate
    2. The server certificate
    3. The private key
  2. Run pjsua: 
    $ ./pjsua --use-tls --tls-ca-file root.pem --tls-cert-file server-cert.pem --tls-privkey-file privkey.pem
  3. To see more TLS options, run ./pjsua --help.

Running pjsua as TLS Client

To make call to SERVER using TLS: 

$ ./pjsua --use-tls <sip:SERVER;transport=tls>

To see more TLS options, run ./pjsua --help.

Enable TLS mutual authentication

Basically, it is done by two ways certificate verification, so both sides must provide TLS certificate (as described in Running pjsua as TLS Server above) and enable verification:

  • as TLS server: append pjsua option --tls-verify-client,
  • as TLS client: append pjsua option --tls-verify-server.

To see about TLS in library level, check the TLS docs in the links section below.

Last modified 15 months ago Last modified on Jan 25, 2023 8:23:07 AM