Snom m9/Documentation/Online Manual/Security and Emergency
From Snom User Wiki
Contents |
Encrypted Calls
- snom m9 supports media and VoIP signaling encryption for making secure VoIP calls (TLS/SRTP)
- snom m9 provides these features via:
- RFC 4346 (TLS)
- RFC 3711 (SRTP)
- Key Exchange
- TLS/SIPS functionality can be enabled on the snom m9 by appending a transport=tls parameter to the Outbound Proxy
- Media encryption can be switched on using RTP Encryption setting
- Secure call status is indicated on the snom m9 Handset by a Closed Padlock icon
X.509 Certificates
- The m9 base station is able to perform Server Identity Verification based on trusted X.509 chains when SSL/TLS is used
- Servers which present certificates signed by CAs unknown to the base are rejected
- The Server Verification functionality can be switched off by selecting Don't validate certificates under Security->Certificate Policy
- The trusted root CAs on the base can be viewed under Status->Network
- Note: The snom m9 is also able to present its X.509 Certificate for Client Identity Verification
- Note: For the Client/Server verification to function, the validation server must have a valid certificate with a domain-name as the CN. Also the same domain-name must be provided to the snom m9 as the SIP server or auto-configuration server.
Client Certificates
- Each snom m9 base station comes equipped with a unique X.509 certificate signed by snom CA
- These Client Certificates are used by the snom m9 to provide proof-of-identity to servers and to generate private-key based signatures
- The client certificate of the snom m9 can however also be customized by provisioning custom client certificate/private key
- Embedded within an XML file with <cert> and <key> tags, the snom m9 can be auto configured to use customized client Identity
- Both these <cert> and <key> tags need to be encapsulated within a <certificates> XML tag
- The following XML format indicates how a customized client certificate and private key can be provisioned to the snom m9:
CA Setup
- Trusted Root CAs can also be provisioned to the m9 base with auto-provisioning
- With <certificates> as the top XML tag, each trusted root CA can be enclosed within a <ca> tag
- The following XML format can be used for CA setup:
Security
- Admin Login Account: HTTP Admin username
- Password: HTTP Admin password
- Session Timeout: Webserver auto-logoff interval
- HTTP Client Username: HTTP Username for outgoing HTTP connections
- HTTP Client Password: HTTP Password for outgoing HTTP connections
- PIN: Base PIN (Recommended to be changed from default 0000)
- Emergency Proxy: Emergency SIP Proxy for routing emergency calls
- Emergency Numbers: Permitted emergency numbers for emergency calls
Emergency Calls
- The dial plans on the snom m9 can also be used to make emergency calls terminated at an external VoIP provider
- The following dial plan will make a call to the SIP URI emergency@provider.com when 911,999 or 112 is dialed:
!^(911|112|999)!sip:emergency@provider.com!d