Secure SIP Signaling

Starting with version 8.1.103.08, SIP Server supports the secure SIP signaling schema, or sips, in accordance with RFC 5630.

When enabled, SIP Server forms the Request-URI, From, To, and Contact headers to include the sips schema when sending a SIP message to a device that requires that sips schema. The Via header of the message contains the transport TLS. When generating a response to an incoming message containing the sips schema, SIP Server forms the header Contact to include sips.

If the Request-URI with the sips schema also contains the transport parameter transport=tcp or transport=tls, communication will be established in secure TLS over TCP.

SIP Server applies the sips schema rules selectively, on a per call leg basis. In other words, if one SIP peer must communicate using secure SIP signaling while the other SIP peer does not support it, SIP Server is able to interconnect these peers using their supported protocol. However, devices communicating with SIP Server using the sips schema must be configured to enforce the sips schema.

Examples

Example of the INVITE message with the sips schema arrived to SIP Server:

INVITE sips:5000@172.21.83.50:5314;transport=TCP SIP/2.0
From: "7789"<sips:7789@172.21.83.24>;tag=74cc50-185315ac-13c4-55013-38-2147ec74-38
To: <sips:5000@172.21.83.50:5314>
Call-ID: 75b148-185315ac-13c4-55013-38-4004bd76-38
CSeq: 1 INVITE
Via: SIP/2.0/TLS 172.21.83.24:5061;branch=z9hG4bK-38-dd24-c4644b6
Max-Forwards: 70
Supported: replaces,100rel,eventlist,timer
Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: AUDC-IPPhone/2.2.12.172 (420HD-Rev1; 00908F567540)
Contact: <sips:7789@172.21.83.24:5061;transport=TCP>
Session-Expires: 1800
Min-SE: 90
Content-Type: application/sdp
Content-Length: 299
...

Example of the 200 OK SIP Server response with the sips schema:

SIP/2.0 200 OK
From: "7789"<sips:7789@172.21.83.24>;tag=74cc50-185315ac-13c4-55013-38-2147ec74-38
To: <sips:5000@172.21.83.50:5314>;tag=EBDFD947-8988-4831-9FFF-051C3B626FFA-2
Call-ID: 75b148-185315ac-13c4-55013-38-4004bd76-38
CSeq: 1 INVITE
Via: SIP/2.0/TLS 172.21.83.24:5061;branch=z9hG4bK-38-dd24-c4644b6;received=172.21.83.24
Contact: <sips:5000@172.21.83.50:5314;transport=TCP>
X-Genesys-CallUUID: 8AH5H0H7054R93EBKC9ICTN8A8000001
Allow: INVITE, ACK, PRACK, CANCEL, BYE, REFER, INFO, MESSAGE, NOTIFY, OPTIONS
User-Agent: PolycomVVX-VVX_300-UA/5.2.0.8330
Allow-Events: conference,talk,hold
Accept-Language: en
Session-Expires: 1800;refresher=uas
Supported: uui,timer
Content-Type: application/sdp
Content-Length: 193
 ... 

Feature Configuration

To enable the sips schema for secure SIP signaling, add the sips parameter to the contact option of the required device, as follows:

• contact=sips:[number@]hostport[;transport={tls/tcp}]

Genesys recommends that you configure transport=tls.

The sips schema is supported on the following types of DNs:

• Trunk
• Extension
• ACD Position
• Voice over IP Service with service-type=softswitch

Examples of the contact values with the sips schema:

• sips:fly.example.com;transport=tls
• sips:192.168.8.57;transport=tcp

Enforcing the sips schema by SIP registration

Self-registered DNs are configured with the option contact="*". When an incoming (from an endpoint) SIP REGISTER request contains the sips schema, SIP Server communicates with that endpoint using the sips schema. The transport parameter will be removed from the SIP REGISTER request.

Feature Limitations

• The sips schema is not yet supported by SIP Proxy.
• SIP Server guarantees consistency in using the sips schema only if it is configured and matches incoming traffic. In other words, the trunk through which an INVITE request containing sips arrives must have the sips schema configured and the self-registered DN must have the option contact ="*" configured.
• If required to communicate with Media Server over TLS, Genesys recommends using the sip schema (not sips in the contact) to keep it backward compatible.