Transport layer security (tls), Transport layer security (tls) -26 – AASTRA 6700i series, 9143, 9480i, 9480i CT SIP Administrator Guide EN User Manual

6-26

41-001343-01 Rev 03, Release 3.2.2

Transport Layer Security (TLS)

The IP Phones support a transport protocol called Transport Layer Security (TLS) and

Persistent TLS

. TLS is a protocol that ensures communication privacy between the SIP phones

and the Internet. TLS ensures that no third party may eavesdrop or tamper with any message.

TLS is composed of two layers: the TLS Record Protocol and the TLS handshake protocol. The

TLS Record Protocol provides connection security with some encryption method such as the

Data Encryption Standard (DES). The TLS Handshake Protocol allows the server and client to

authenticate each other and to negotiate an encryption algorithm and cryptographic keys before

data is exchanged. TLS requires the use of the following security certificate files to perform TLS

handshake:
• Root and Intermediate Certificates
• Local Certificate
• Private Key
• Trusted Certificate

When the phones use TLS to authenticate with the server, each individual call must setup a new

TLS connection. This can take more time when placing each call. Thus, the IP phones also have

a feature that allows you to setup the connection to the server once and re-use that one

connection for all calls from the phone. It is called Persistent TLS. The setup connection for

Persistent TLS is established during the registration of the phone. If the phones are set to use

Persistent TLS, and a call is made from the phone, this call and all subsequent calls use the same

authenticated connection. This significantly reduces the delay time when placing a call.

On the IP phones, an Administrator can configure TLS and Persistent TLS on a global-basis

only, using the configuration files or the Aastra Web UI.

There is a keep-alive feature for persistent TLS connections only. Administrators can configure

this keep-alive feature using the parameter called “sip persistent tls keep alive”. When this

feature is configured, the phone will send keep-alive pings to the proxy server at configured

intervals. The keep-alive feature for persistent TLS connections performs the following

functionalities:
• After a persistent TLS connection is established or re-established, activate the keep-alive,

which will send CRLF to peer periodically.

Notes:

1.

Persistent TLS requires the outbound proxy server and outbound

proxy port

parameters be configured in either the configuration files or

the Aastra Web UI (Advanced Settings->Global SIP->Basic SIP Network
Settings

). There can be only one persistent TLS connection created per

phone. The phone establishes the TLS connection to the configured

outbound proxy.

2.

If you configure the phone to use Persistent TLS, you must also

specify the Trusted Certificate file to use. The Root and Intermediate

Certificates, Local Certificate, and Private Key files are optional.