CHAPTER60 Configuration Parameters Reference
Mediant 4000 SBC | User's Manual
Parameter Description
'TLS Mutual Authentication'
configure network >
security-settings >
SIPSREQUIRECLIENTCERTIFICATE
[SIPSRequireClientCertificate]
Defines the device's mode of operation regarding
mutual authentication and certificate verification for
TLS connections.
■ [0] Disable = (Default)
✔ Device acts as a client: Verification of the
server’s certificate depends on the
VerifyServerCertificate parameter.
✔ Device acts as a server: The device does
not request the client certificate.
■ [1] Enable =
✔ Device acts as a client: Verification of the
server certificate is required to establish the
TLS connection.
✔ Device acts as a server: The device
requires the receipt and verification of the
client certificate to establish the TLS
connection.
Note:
■ This feature can be configured per SIP Interface
(see Configuring SIP Interfaces).
■ The SIPS certificate files can be changed using
the parameters HTTPSCertFileName and
HTTPSRootFileName.
'Peer Host Name Verification Mode'
configure network >
security-settings >
PEERHOSTNAMEVERIFICATIONMODE
[PeerHostNameVerificationMode]
Enables the device to verify the Subject Name of a
TLS certificate received from SIP entities for
authentication and establishing TLS connections.
■ [0] Disable (default)
■ [1] Server Only = Verify Subject Name only
when acting as a client for the TLS connection.
■ [2] Server & Client = Verify Subject Name
when acting as a server or client for the TLS
connection.
If the device receives a certificate from a SIP entity
(IP Group) and the parameter is configured to Server
Only or Server & Client, it attempts to authenticate
the certificate based on the certificate's address.
The device searches for a Proxy Set that contains
the same address (IP address or FQDN) as that
specified in the certificate's SubjectAltName
(Subject Alternative Names). For Proxy Sets with an
FQDN, the device checks the FQDN itself and not
the DNS-resolved IP addresses. If a Proxy Set is
found with a matching address, the device
establishes a TLS connection.
If a matching Proxy Set is not found, one of the
following occurs:
■ If the certificate's SubjectAltName is marked as
"critical", the device rejects the call.
- 910 -
To Next Page
Loading...
