SSL/TLS

Requirements

The TLS support in PJSIP requires one of the following:

• OpenSSL

• BoringSSL: #2856

• GnuTLS: #2082

• Mac/iOS native backend: #2482 and #2185

This page mostly describes TLS usage with OpenSSL. For other backends, please refer to the GitHub issues/PR above.

Installing OpenSSL

For OpenSSL installation, refer to the following guides:

• Installing OpenSSL (for Windows)

• TLS/OpenSSL Support (for iOS/iPhone)

• OpenSSL Support (for Android)

• For Debian/Ubuntu:

  $ sudo apt-get install libssl-dev
  

• Note that native SSL backend is available for Mac/iOS, see #2482.

• (deprecated) BB10: using bundled OpenSSL

• (deprecated) TLS support on Symbian is implemented natively using CSecureSocket, hence it doesn’t require OpenSSL development kit. Please see Configuring TLS on Symbian for the detailed information.

Build PJSIP with TLS Support

SIP TLS transport is implemented based on PJLIB’s SSL Socket API, and its availability is based on PJ_HAS_SSL_SOCK macro value. For autoconf build system, the value is automatically detected based on OpenSSL availability. For other platforms such as Windows and Symbian, please declare this in your config_site.h:

#define PJ_HAS_SSL_SOCK 1

Note:

• The PJSIP_HAS_TLS_TRANSPORT default value will be set to PJ_HAS_SSL_SOCK setting.

Configuring SIP TLS transport

Once TLS support has been built, configure the TLS settings as follows.

For PJSUA2 based applications:

• Configure the pj::TlsConfig in the pj::TransportConfig

• Create the TLS transport by following Creating one or more transports

For PJSUA-LIB based applications:

• Configure the TLS certificates in pjsua_transport_config::tls_setting.

• Create TLS transport with pjsua_transport_create() and so on. See PJSUA-LIB Transport.

For PJSIP based applications:

• See PJSIP TLS Transport.

Using SIP TLS transport

Once SIP transport has been configured, it will be used to send requests to remote endpoint that requires TLS transport, i.e. either the URL contains ;transport=tls parameter or the URI is sips:.

The instructions are similar to Using SIP TCP Transport; just replace "tcp" with "tls".

Running pjsua as TLS Server

1. You will need specify a TLS certificate, represented by three PEM files:

   1. The root certificate

   2. The server certificate

   3. The private key

2. Run pjsua:

   $ ./pjsua --use-tls --tls-ca-file root.pem --tls-cert-file server-cert.pem --tls-privkey-file privkey.pem
   

3. To see more TLS options, run ./pjsua –help.

Running pjsua as TLS Client

To make call to SERVER using TLS:

$ ./pjsua --use-tls <sip:SERVER;transport=tls>

To see more TLS options, run ./pjsua --help.

Enable TLS mutual authentication

Basically, it is done by two ways certificate verification, so both sides must provide TLS certificate (as described in [#pjsua-tls-server Running pjsua as TLS Server] above) and enable verification:

• as TLS server: append pjsua option --tls-verify-client,

• as TLS client: append pjsua option --tls-verify-server.

To see about TLS in library level, check the TLS docs in the links section below.