SSL/TLS for Internet Telephony Server

Li Liao
Columbia University
New York, NY 10027
USA
ll272@columbia.edu

Abstract

This project is aimed at integrating TLS (secure socket layer) transport-layer encryption into the existing SIPD server, using an C/C++ library, OpenSSL.

Introduction

sipd[1] is a SIP redirect, forking proxy and registration server that provides name mapping, user location and scripting services. While invitations and registrations can be authenticated using basic, digest and PGP anthentication, communication between clients and sipd is not secure at the transport layer in the current implementation of sipd. In this project, we integrated TLS (secure socket layer) transport-layer encryption into sipd server, using an C/C++ library, OpenSSL[3] .

Secure socket layer (SSL) is a protocol, that sits between the application layer (SIP in our case) and the transport layer, to provide data encryption and authentication between a Web client and a Web server. Although SSL was originally developed by Netscape for Web application, it can be used for other Internet applications as well.

The SSL protocol begins with a handshake phase that negotiates an encrytion algorithm and keys, and anthenticates the server to the client. Once the handshake is complete and the transmission of application data begins, all data is encryted using session keys negotiated during the handshake phase.

OpenSSL's ssl library implements the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented in [3] .

Background

The following two pictures give an overview of SIP operations in redirect mode and proxy mode.

SIP Operation in Redirect Mode

SIP call initiation in redirect mode

SIP Operation in Proxy Mode

SIP call initiation in proxy mode

Architecture

SIP, as a protocol, typically is used over UPD or TCP. As mentioned above, SSL/TLS sits between the application layer, SIP in this case, and the transport layer, as depicted in the following picture.

SIP call initiation in proxy mode

In Eric Rescorla's book [2], there are example codes implementing a self-contained prototype of SSL/TLS client-server using OpenSSL API. As first step, we have modified Rescorla's example code such that it can better interface with the sipd server, while still largely self-contained. Next, we add SSL/TLS layer into sipd as optional, which can be turned on or off in the configuration file. The flow chart of function calls that are relevant to adding SSL/TLS is shown in the following picture.

SIP call initiation in proxy mode
To accomodate ssl socket, data structure request_t and request_common_t are modified by substituting struct sockaddr_in for a union sock_t, which is able to hold both sockaddr_in and SSL. The strategy is to keep the existing sipd archtecture as intact as possible. Indeed, modification to code after a request is sent to RequestProcess() is minimal.

Program Documentation

Please refer to the program documentation for details.

Measurements

A simple SSL/TLS client, siptc, is developed to test our SSL/TLS equipped sipd.

Task List

This project is implemented by Li Liao under Sankaran Narayanan's mentoring. The basic SSL/TLS client-server code was downloaded from Eric Rescorla's book, and the code of sipd is from Internet Real Time lab at Computer Science Department, Columbia University.

References

1
Henning Schulzrinne et al SIPD server, Columbia University.
2
Eric Rescorla SSL/TLS: Designing and Building Secure Systems, Addison Wesley, 2000.
3
OpenSSL 0.9.6a

Last updated: 8-August-2001 by Li Liao