This project is aimed at integrating TLS (secure socket layer) transport-layer encryption into the existing SIPD server, using an C/C++ library, OpenSSL.
sipd[1] is a SIP redirect, forking proxy and registration server that provides name mapping, user location and scripting services. While invitations and registrations can be authenticated using basic, digest and PGP anthentication, communication between clients and sipd is not secure at the transport layer in the current implementation of sipd. In this project, we integrated TLS (secure socket layer) transport-layer encryption into sipd server, using an C/C++ library, OpenSSL[3] .
Secure socket layer (SSL) is a protocol, that sits between the application layer (SIP in our case) and the transport layer, to provide data encryption and authentication between a Web client and a Web server. Although SSL was originally developed by Netscape for Web application, it can be used for other Internet applications as well.
The SSL protocol begins with a handshake phase that negotiates an encrytion algorithm and keys, and anthenticates the server to the client. Once the handshake is complete and the transmission of application data begins, all data is encryted using session keys negotiated during the handshake phase.
OpenSSL's ssl library implements the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented in [3] .
The following two pictures give an overview of SIP operations in redirect mode and proxy mode.
SIP, as a protocol, typically is used over UPD or TCP. As mentioned above, SSL/TLS sits between the application layer, SIP in this case, and the transport layer, as depicted in the following picture.
In Eric Rescorla's book [2], there are example codes implementing a self-contained prototype of SSL/TLS client-server using OpenSSL API. As first step, we have modified Rescorla's example code such that it can better interface with the sipd server, while still largely self-contained. Next, we add SSL/TLS layer into sipd as optional, which can be turned on or off in the configuration file. The flow chart of function calls that are relevant to adding SSL/TLS is shown in the following picture.
Please refer to the program documentation for details.
A simple SSL/TLS client, siptc, is developed to test our SSL/TLS equipped sipd.
This project is implemented by Li Liao under Sankaran Narayanan's mentoring. The basic SSL/TLS client-server code was downloaded from Eric Rescorla's book, and the code of sipd is from Internet Real Time lab at Computer Science Department, Columbia University.