ALGO TLS Transport Layer Security Malangizo

TLS (Transport Layer Security) ndi ndondomeko yachinsinsi yomwe imapereka kutsimikizika, zinsinsi, ndi chitetezo chomaliza mpaka kumapeto kwa data yomwe imatumizidwa pakati pa mapulogalamu kapena zida pa intaneti. Pamene nsanja za telephony zakhala zikuchulukirachulukira, kufunikira kwa TLS kuti ipereke kulumikizana kotetezeka pa intaneti yapagulu kwakula. Zida za Algo zomwe zimathandizira firmware 1.6.4 kapena mtsogolo zimathandizira Transport Layer Security (TLS) pazopereka zonse ndi SIP Signaling.
Zindikirani: mapeto otsatirawa sagwirizana ndi TLS: 8180 IP Audio Alerter (G1), 8028 IP Doorphone (G1), 8128 IP Visual Alerter (G1), 8061 IP Relay Controller.

Encryption vs Identity Verification

Ngakhale kuchuluka kwa magalimoto a TLS nthawi zonse kumakhala kobisika komanso kotetezeka kuti anthu ena asamve kapena kusinthidwa, chitetezo chowonjezera chikhoza kuperekedwa pogwiritsa ntchito Zikalata kuti zitsimikizire kuti winayo ndi ndani. Izi zimathandiza Seva kutsimikizira chipangizo cha IP Endpoint, ndi mosemphanitsa.
Kuti mutsimikizire kuti ndinu ndani, satifiketi file iyenera kusainidwa ndi Certificate Authority (CA). Chipangizo chinacho chimayang'ana siginecha iyi, pogwiritsa ntchito Satifiketi ya Public (Trusted) yochokera ku CA iyi.

Zikalata za TLS

Algo IP Endpoints amabwera atayikiridwa kale ndi ziphaso zapagulu kuchokera kwa Olamulira a Certificate odalirika (CAs), kuphatikizapo Comodo, Verisign, Symantec, DigiCert, ndi zina zotero. ma seva awo kapena webmasamba ali kwenikweni omwe amati iwo ali. Zipangizo za Algo zitha kutsimikizira kuti ikulumikizana ndi seva yeniyeni potsimikizira ziphaso zosainidwa ndi seva motsutsana ndi satifiketi zapagulu zochokera ku CA zomwe zidasaina. Zitupa zapagulu zowonjezera zitha kukwezedwa, kulola chida cha Algo kudalira ndikutsimikizira ma seva owonjezera omwe mwina sangaphatikizidwe ndi satifiketi yoyikiratu (kwa ex.ample, ziphaso zodzisainira).

Mutual Authentication

Mutual Authentication imawonjezera gawo limodzi lowonjezera la chitetezo pakufuna kuti seva itsimikizirenso ndikudalira chida chakumapeto, kuphatikiza mbali ina yomaliza yotsimikizira seva. Izi zimayendetsedwa pogwiritsa ntchito Chidziwitso Chapadera cha Chipangizo, chomwe chimayikidwa pa Algo SIP Endpoint iliyonse panthawi yopanga. Popeza adilesi ya IP ya chipangizo cha Algo sinakhazikike (imatsimikiziridwa ndi netiweki yamakasitomala), Algo sangathe kufalitsa izi pasadakhale ndi ma CA odalirika, ndipo m'malo mwake, Satifiketi ya Chipangizochi iyenera kusainidwa ndi Algo's CA.
Kuti seva ikhulupirire chipangizo cha Algo, woyang'anira dongosolo adzafunika kuyika satifiketi yapagulu ya Algo CA pa seva yawo (kwa kale.ample SIP Phone System kapena seva yawo yoperekera) kuti seva iyi itsimikizire kuti Chidziwitso cha Chipangizo pachipangizo cha Algo ndichowona.

Zindikirani: Ma endpoints a Algo IP opangidwa mu 2019 (kuyambira ndi firmware 1.7.1) kapena kenako amakhala ndi satifiketi ya chipangizocho kuchokera kufakitale.
Kuti muwone ngati satifiketi yakhazikitsidwa, pitani ku System -> About tabu. Onani Satifiketi Yopanga. Ngati satifiketiyo sinayikidwe, chonde imelo support@algosolutions.com.

Zithunzi za Cipher Suites

Cipher suites ndi ma algorithms omwe amagwiritsidwa ntchito panthawi ya TLS. Gulu lililonse limaphatikizapo ma algorithms otsimikizira, kubisa, ndi kutsimikizira uthenga. Zida za Algo zimathandizira ma aligorivimu ambiri omwe amagwiritsidwa ntchito kawirikawiri monga AES256 ndi ma algorithms otsimikizira mauthenga monga SHA-2.

Zikalata za Algo Chipangizo

Zikalata za Chipangizo zosainidwa ndi Algo Root CA zayikidwa fakitale pazida za Algo kuyambira 2019, kuyambira ndi firmware 1.7.1. Satifiketi imapangidwa pomwe chipangizocho chimapangidwa, chokhala ndi dzina lodziwika bwino mu satifiketi yomwe ili ndi adilesi ya MAC pachida chilichonse.
Satifiketi ya chipangizocho ndi yogwira ntchito kwa zaka 30 ndipo imakhala m'malo ena, kotero sichidzachotsedwa ngakhale fakitale itakhazikitsanso kumapeto kwa Algo.
Zida za Algo zimathandizanso kukweza satifiketi ya chipangizo chanu kuti mugwiritse ntchito m'malo mwa satifiketi ya chipangizo chokhazikitsidwa ndi fakitale. Izi zitha kukhazikitsidwa ndikuyika PEM file yomwe ili ndi satifiketi ya chipangizo ndi kiyi yachinsinsi ku bukhu la 'certs' (osati chikwatu cha 'certs/trusted'!) mu System -> File Manager tab. Izi file iyenera kutchedwa 'sip kasitomala.pem'.

Kukwezera Ziphaso za Public CA ku Algo SIP Endpoints

Ngati muli pa fimuweya yotsika kuposa 3.1.X, chonde kwezani chipangizocho.
Kuti muyike satifiketi pa chipangizo cha Algo chomwe chili ndi firmware v3.1 & pamwambapa, tsatirani izi:

Pezani satifiketi yapagulu kuchokera kwa Satifiketi yanu (satifiketi iliyonse yovomerezeka ya X.509 ikhoza kulandiridwa). Palibe mawonekedwe enieni ofunikira pa filedzina.
Mu web mawonekedwe a chipangizo cha Algo, yendani ku System -> File Tab yoyang'anira.

Kwezani satifiketi files mu bukhu la 'certs/ trusted'. Dinani Kwezani batani pamwamba kumanzere ngodya ya file manejala ndikusakatula ku satifiketi.

Web Zosankha za Chiyankhulo

Kupereka kwa HTTPS
Kupereka kumatha kutetezedwa pokhazikitsa 'Download Method' ku 'HTTPS' (pansi pa Advanced Settings> Provisioning tab). Izi zimalepheretsa kasinthidwe files kuwerengedwa ndi munthu wina wosafunidwa. Izi zimathetsa chiwopsezo chomwe chingakhalepo chokhala ndi data yovuta kubedwa, monga mapasiwedi a admin ndi zidziwitso za SIP.

Kuti mutsimikize kuti ndinu ndani pa Seva Yopereka, ikaninso 'Validate Server Certificate' kukhala 'Yayatsidwa'. Ngati Satifiketi ya seva yoperekayo yasainidwa ndi imodzi mwama CA amalonda wamba, ndiye kuti chipangizo cha Algo chiyenera kukhala kale ndi satifiketi yapagulu ya CA iyi ndikutsimikiziranso.
Kwezani ziphaso zoonjezera (satifiketi ya Base64 encoded X.509 file mu .pem, .cer, kapena .crt format) popita ku "System > File Manager" ku chikwatu cha 'certs/ trusted'.
ZINDIKIRANI: Gawo la 'Validate Server Certificate' litha kuthandizidwanso popereka: prov.download.cert = 1

HTTPS Web Pulogalamu Yoyimira
Ndondomeko yokwezera satifiketi yapagulu ya HTTPS web kusakatula ndikufanana ndi zomwe zalongosoledwa m'chigawo pamwambapa. Tsamba la httpd.pem file ndi satifiketi ya chipangizo yomwe imafunsidwa ndi msakatuli wapakompyuta yanu mukamapita ku IP ya chipangizocho. Kutsitsa mwachizolowezi kungakupatseni mwayi wochotsa uthenga wochenjeza ngati mutalowa WebUI pogwiritsa ntchito HTTPS. Si satifiketi ya CA yapagulu. Satifiketi iyenera kukwezedwa ku 'certs'.

SIP Signaling (ndi RTP Audio)

Kusainira kwa SIP kumatetezedwa pokhazikitsa 'SIP Transportation' kupita ku 'TLS' (pansi pa Advanced Settings> Advanced SIP tab).

Imawonetsetsa kuti magalimoto a SIP adzasungidwa.

Siginecha ya SIP ndiyomwe ili ndi udindo woyambitsa kuyimba (zizindikiro zowongolera kuti muyambitse ndikumaliza kuyimba ndi gulu lina), koma ilibe mawu.
Panjira yomvera (mawu), gwiritsani ntchito 'SDP SRTP Offer'.

Kukhazikitsa izi kukhala 'Mwachidziwitso' kumatanthauza kuti data yomvera ya SIP ya RTP ibisidwa (pogwiritsa ntchito SRTP) ngati gulu lina limathandiziranso kubisa mawu.
Ngati gulu lina siligwirizana ndi SRTP, kuyimbako kumapitilirabe, koma ndi mawu osalembedwa. Kuti mupange kubisa kwamawu kukhala kofunikira pama foni onse, ikani 'SDP SRTP Offer' kukhala 'Standard'. Pankhaniyi, ngati gulu lina siligwirizana ndi kubisa kwa audio, kuyesa kuyimba kudzakanidwa.

Kuti mutsimikize kuti ndinu ndani pa Seva ya SIP, yambaninso 'Validate Server Certificate' kukhala 'Enabled'.
Ngati Satifiketi ya seva ya SIP yasainidwa ndi imodzi mwa ma CA amalonda wamba, ndiye kuti chipangizo cha Algo chiyenera kukhala ndi chiphaso chapagulu cha CA iyi ndi kutsimikizira. Ngati sichoncho (mwachitsanzoample wokhala ndi ziphaso zodzisainira), ndiye kuti satifiketi yoyenerera ya anthu onse ikhoza kukwezedwa ku chipangizo cha Algo monga tafotokozera poyamba pachikalatachi.

Mtundu wa TLS 1.2
Zida za Algo zomwe zimagwiritsa ntchito firmware v3.1 & pamwamba zimathandizira TLS v1.1 ndi v1.2. 'Limbikitsani TLS
Njira ya mtundu' itha kugwiritsidwa ntchito kufuna kulumikizana ndi TLS kuti mugwiritse ntchito TLSv1.2. Kuti mutsegule izi:

Pitani ku Zokonda Zapamwamba> Advanced SIP
Khazikitsani 'Limbikitsani TLS Version' ngati yayatsidwa ndikusunga.
ZINDIKIRANI: Izi zachotsedwa mu v4.0+ popeza TLS v1.2 imagwiritsidwa ntchito mwachisawawa

Tsitsani Zikalata za Algo

Pansipa pali maulalo otsitsa satifiketi ya Algo CA. The files ikhoza kukhazikitsidwa pa Seva ya SIP kapena Seva Yopereka kuti ma seva awa atsimikizire Zikalata Zachipangizo pa Algo SIP Endpoints, motero amalola Kutsimikizika Kwamagawo:
Algo Root CA: http://firmware.algosolutions.com/pub/certs/algo_issuing.crt
Algo Intermediate CA: http://firmware.algosolutions.com/pub/certs/algo_intermediate.crt
Algo Public Certificate: http://firmware.algosolutions.com/pub/certs/algo_ca.crt

Kusaka zolakwika

Ngati kugwirana chanza kwa TLS sikukutha, chonde tumizani kujambulidwa kwa paketi ku thandizo la Algo kuti muwunike. Kuti muchite izi muyenera kuwonetsa kuchuluka kwa magalimoto, kuchokera padoko pomwe Algo imalumikizidwa ndi netiweki, kubwerera ku kompyuta.

Malingaliro a kampani Algo Communication Products Limited
4500 Beedie St Burnaby BC Canada V5J 5L2
www.wotchi.lcom
604-454-3792
support@algosolutions.com

Zolemba / Zothandizira

ALGO TLS Transport Layer Security [pdf] Malangizo
TLS, Transport Layer Security, Layer Security, TLS, Transport Layer

Maumboni

Buku Logwiritsa Ntchito

Chiyambi cha TLS