I-ALGO TLS iMiyalelo yoKhuseleko lweNqanaba lezoThutho

I-TLS (uKhuseleko loMaleko wezoThutho) yiprotocol ye-cryptographic ebonelela ngoqinisekiso, imfihlo, kunye nokhuseleko oluphela ukuya esiphelweni lwedatha ethunyelwe phakathi kwezicelo okanye izixhobo kwi-Intanethi. Njengoko amaqonga omnxeba abanjwayo aye axhaphaka ngakumbi, imfuno ye-TLS yokubonelela ngonxibelelwano olukhuselekileyo kwi-intanethi yoluntu iye yanda. Izixhobo ze-Algo ezixhasa i-firmware 1.6.4 okanye kamva zixhasa uKhuseleko loMaleko wezoThutho (TLS) kuzo zombini uBonelelo kunye nokuSayina kwe-SIP.
Phawula: ezi siphelo zilandelayo aziyixhasi i-TLS: 8180 IP Audio Alerter (G1), 8028 IP Doorphone (G1), 8128 IP Visual Alerter (G1), 8061 IP Relay Controller.

Uguqulelo oluntsonkothileyo vs uQinisekiso lwesazisi

Ngelixa itrafikhi ye-TLS isoloko iguqulelwe ngendlela entsonkothileyo kwaye ikhuselekile ekuphulaphuleni okanye ekulungisweni komntu wesithathu, umaleko owongezelelweyo wokhuseleko unokubonelelwa ngokusebenzisa iZatifikethi ukungqinisisa isazisi selinye iqela. Oku kuvumela iSeva ukuba iqinisekise ubuni besixhobo se-IP Endpoint, kwaye ngokuphendululekileyo.
Ukwenza uhlolo lwesazisi, iSatifikethi file kufuneka isayinwe nguGunyaziwe weSatifikethi (CA). Esinye isixhobo ngoko sijonga olu tyikityo, sisebenzisa iSatifikethi sikaWonke-wonke (eSithenjiweyo) esisuka kule CA.

Izatifikethi ze-TLS

I-Algo IP Endpoints iza ifakwe kwangaphambili kunye neseti yezatifikethi zikawonke-wonke ezivela kwi-third-party Certificate Authority (CAs), kuquka iComodo, Verisign, Symantec, DigiCert, njl. abancedisi babo okanye webiisayithi zingoobani na abathi zibo. Izixhobo ze-Algo zinokuqinisekisa ukuba inxibelelana neseva eyiyo ngokuqinisekisa izatifikethi ezisayiniweyo zomncedisi ngokuchasene nezatifikethi zikawonke-wonke ezivela kwi-CA esayiniweyo. Izatifikethi ezongezelelweyo zikawonke-wonke nazo zinokulayishwa, ukuvumela isixhobo seAlgo ukuba sithembe kwaye siqinisekise iiseva ezongezelelweyo ezinokungaqukwa kwizatifikethi ezifakwe ngaphambili (for example, izatifikethi ozisayinileyo).

Ungqinisiso oludibeneyo

UQinisekiso oluDityanisiweyo longeza umaleko owongezelelweyo wokhuseleko ngokufuna ukuba umncedisi aqinisekise kwaye athembe isixhobo sesiphelo, ukongeza kwicala elichaseneyo lenqaku lesiphelo eliqinisekisa umncedisi. Oku kuphunyezwa ngokusebenzisa iSatifikethi seSixhobo esisodwa, esifakwe kwi-Algo SIP Endpoint nganye ngexesha lokwenziwa. Njengoko idilesi ye-IP yesixhobo se-Algo ayilungiswanga (imiselwa yinethiwekhi yomthengi), i-Algo ayikwazi ukupapasha olu lwazi kwangaphambili kunye nee-CA ezithembekileyo, kwaye endaweni yoko, ezi ziQinisekiso zeDivaysi kufuneka zisayinwe yi-Algo's CA.
Ukuze umncedisi athembe isixhobo seAlgo, umlawuli wenkqubo uzakufuna ukufakela ikhonkco lesatifikethi seAlgo CA sikawonkewonke kwiseva yabo (for example INkqubo yeFowuni ye-SIP okanye iseva yabo yonikezelo) ukuze lo mncedisi aqinisekise ukuba iSatifikethi seSixhobo kwisixhobo seAlgo siyinyani.

Phawula: I-Algo IP endpoints yenziwe ngo-2019 (ukuqala nge-firmware 1.7.1) okanye kamva ibe nesatifikethi sesixhobo esifakwe kumzi-mveliso.
Ukuqinisekisa ukuba isatifikethi sifakiwe, jonga kwiNkqubo -> Malunga nethebhu. Jonga iSatifikethi soMvelisi. Ukuba isatifikethi asifakwanga, nceda uthumele i-imeyile support@algosolutions.com.

Cipher Suites

I-Cipher suites ziiseti ze-algorithms ezisetyenziswa ngexesha leseshoni ye-TLS. Isuite nganye ibandakanya iindlela zokuqinisekisa, uguqulelo oluntsonkothileyo, kunye noqinisekiso lomyalezo. Izixhobo zeAlgo zixhasa iialgorithms ezininzi ezisetyenziswa ngokuqhelekileyo zofihlo ezifana ne-AES256 kunye neealgorithms zekhowudi yoqinisekiso lomyalezo njenge-SHA-2.

Izatifikethi zeSixhobo zeAlgo

Izatifikethi zeSixhobo ezisayinwe yi-Algo Root CA zifakwe kwifektri kwizixhobo ze-Algo ukususela ngo-2019, ukuqala nge-firmware 1.7.1. Isatifikethi senziwa xa isixhobo sisenziwa, kunye nendawo yegama eliqhelekileyo kwisatifikethi esinedilesi ye-MAC yesixhobo ngasinye.
Isatifikethi sesixhobo sisebenza iminyaka engama-30 kwaye sihlala kwindawo eyahlukileyo, ngoko asisayi kucinywa nasemva kokuba usete ngokutsha i-Algo endpoint.
Izixhobo ze-Algo zikwaxhasa ukufakwa kwesatifikethi sesixhobo sakho ukuze usisebenzise endaweni yesatifikethi sesixhobo esifakwe kumzi-mveliso. Oku kunokufakwa ngokufaka i-PEM file iqulathe zombini isiqinisekiso sesixhobo kunye neqhosha labucala kulo kulawulo 'lweetifiketi' (hayi 'icerts/trusted' directory!) KwiNkqubo -> File Umphathi wethebhu. Oku file kufuneka kuthiwe 'sip umxhasi.pem'.

Kunyuswa iziQinisekiso ze-CA zikaRhulumente kwi-Algo SIP Endpoints

Ukuba ukwi-firmware engaphantsi kwe-3.1.X, nceda uphucule isixhobo.
Ukufakela isatifikethi kwisixhobo seAlgo esisebenzisa i-firmware v3.1 & ngasentla, landela la manyathelo angezantsi:

Fumana isatifikethi sikawonke-wonke kuGunyaziwe weSatifikethi sakho (nasiphi na isatifikethi esisebenzayo sohlobo lwe-X.509 sinokwamkelwa). Akukho fomati ethile efunekayo kwi fileigama.
Kwi web ujongano lwesixhobo seAlgo, jonga kwiNkqubo -> File Umphathi wethebhu.

Layisha isatifikethi files kuluhlu lwe 'certs/trusted'. Cofa i Layisha iqhosha kwikona ephezulu ngasekhohlo ye file umphathi kwaye ukhangele kwisatifikethi.

Web Iinketho zoNxibelelwano

Ubonelelo lweHTTPS
Unikezelo lunokukhuselwa ngokuseta 'Indlela yokuKhuphela' kwi-'HTTPS' (phantsi kweeSetingi eziPhezulu> ithebhu yokuBonelela). Oku kuthintela uqwalaselo files ekufundweni ngumntu wesithathu ongafunwayo. Oku kusombulula umngcipheko wokubiwa kwedatha ebuthathaka, efana namagama ayimfihlo olawulo kunye nenkcaza ye-SIP.

Ukwenza uqinisekiso lwesazisi kwiSeva yoBonelelo, kwakhona usete 'Ukuqinisekisa iSatifikethi seSeva' ukuba 'Sisebenze'. Ukuba iSatifikethi somncedisi wonikezelo sisayinwe yenye yee-CA zorhwebo eziqhelekileyo, ngoko isixhobo seAlgo kufuneka sibe sinesatifikethi sikawonke-wonke sale CA kwaye sikwazi ukwenza uqinisekiso.
Layisha izatifikethi ezongezelelweyo (Isatifikethi se-Base64 esifakwe ngekhowudi ye-X.509 file kwi-.pem, .cer, okanye .crt fomati) ngokukhangela ku-“Inkqubo > File Umphathi” kwifolda 'yeetifiketi/ezithenjwayo'.
QAPHELA: 'Isiqinisekiso Sokuqinisekisa Seseva' sinako ukwenziwa ukuba sisebenze ngolungiselelo: iprov.download.cert = 1

HTTPS Web IProtokholi yojongano
Inkqubo yokufaka isatifikethi sikawonke-wonke se-HTTPS web ukukhangela kuyafana nanjengoko kuchazwe kweli candelo lingentla. I httpd.pem file sisatifikethi sesixhobo esicelwe sisikhangeli sekhompyuter yakho xa ujonga kwi IP yesixhobo. Ukulayisha isiko umntu kunokukuvumela ukuba ulahle umyalezo wesilumkiso ukuba ufikelela kwi WebUI usebenzisa iHTTPS. Ayisosiqinisekiso se-CA sikawonke-wonke. Isatifikethi masifakwe kwi 'certs'.

Umqondiso we-SIP (kunye ne-RTP Audio)

Umqondiso we-SIP ukhuselwe ngokuseta 'uThutho lwe-SIP' ukuya 'kwi-TLS' (phantsi kwe-Useto oluPhezulu > ithebhu ye-SIP ekwinqanaba eliphezulu).

Iqinisekisa ukuba i-SIP traffic iya kuguqulelwa ngokuntsonkothileyo.

Umqondiso we-SIP unoxanduva lokuseka umnxeba (iimpawu zokulawula ukuqala kunye nokuphelisa umnxeba kunye nelinye iqela), kodwa ayinalo i-audio.
Kwindlela yesandi (ilizwi), sebenzisa isethingi 'SDP SRTP Unikezelo'.

Ukuseta oku ku-'Ngokuzikhethela' kuthetha ukuba idata ye-SIP yomsindo we-RTP iya kuguqulelwa ngokuntsonkothileyo (usebenzisa i-SRTP) ukuba elinye iqela likwaxhasa uguqulelo oluvakalayo.
Ukuba elinye iqela aliyixhasi i-SRTP, umnxeba usaza kuqhubeka, kodwa ngomsindo ongafihlwanga. Ukwenza uguqulelo oluvakalayo olusisinyanzelo kuzo zonke iifowuni, seta i-'SDP SRTP Unikezelo' ukuya 'kuMgangatho'. Kule meko, ukuba elinye iqela alikuxhasi uguqulelo oluvakalayo, umzamo wokufowuna uya kwaliwa.

Ukwenza uqinisekiso lwesazisi kwiSeva ye-SIP, kwakhona usete u-'Qinisekisa iSatifikethi seSeva' ukuba 'Siyasebenza'.
Ukuba iSatifikethi somncedisi we-SIP sisayinwe yenye yee-CA zorhwebo eziqhelekileyo, ngoko isixhobo se-Algo kufuneka sibe sinesatifikethi sikawonke-wonke sale CA kwaye sikwazi ukwenza uqinisekiso. Ukuba akunjalo (umzekeloample kunye nezatifikethi ezizalisiweyo), emva koko isiqinisekiso sikawonke-wonke esifanelekileyo sinokulayishwa kwisixhobo seAlgo njengoko kuchaziwe ngaphambili kolu xwebhu.

Inguqulelo ye-TLS 1.2
Izixhobo ze-Algo ezisebenzisa i-firmware v3.1 & ngasentla zixhasa i-TLS v1.1 kunye ne-v1.2. 'Nyanzelisa uKhuseleko lwe-TLS
Ukhetho loguqulelo lusenokusetyenziswa ukufuna uqhagamshelo lwe-TLS ukusebenzisa i-TLSv1.2. Ukwenza olu phawu:

Yiya kwisetingi ezikwinqanaba eliPhezulu> Advanced SIP
Seta 'Nyanzelisa ukhuseleko lwe-TLS Version' njengoko yenziwe kwaye ugcine.
PHAWULA: Olu khetho lususiwe kwi-v4.0+ ekubeni i-TLS v1.2 isetyenziswa ngokungagqibekanga

Khuphela izatifikethi ze-Algo

Ngezantsi kukho iilinki zokukhuphela ikhonkco lesatifikethi se-Algo CA. I files inokufakwa kwiSeva ye-SIP okanye iSeva yoBonelelo ukuze aba ncedisi baqinisekise iZiqinisekiso zeSixhobo kwi-Algo SIP Endpoints, kwaye ngaloo ndlela vumela uQinisekiso oluBanzi:
Algo Root CA: http://firmware.algosolutions.com/pub/certs/algo_issuing.crt
Algo Intermediate CA: http://firmware.algosolutions.com/pub/certs/algo_intermediate.crt
Isatifikethi sikarhulumente sase-Algo: http://firmware.algosolutions.com/pub/certs/algo_ca.crt

Ukulungisa ingxaki

Ukuba ukuxhawula ngesandla kwe-TLS akugqitywa, nceda uthumele i-packet capture kwi-Algo inkxaso ukuze uhlalutye. Ukwenza loo nto kuya kufuneka ubonise isipili sendlela, ukusuka kwizibuko i-Algo endpoint iqhagamshelwe kwi-network switch, umva kwikhompyuter.

Imveliso yoNxibelelwano lweAlgo Ltd.
I-4500 Beedie St Burnaby BC Canada V5J 5L2
www.yigolokinline.com
604-454-3792
support@algosolutions.com

Amaxwebhu / Izibonelelo

I-ALGO TLS yoKhuseleko lweNqanaba lezoThutho [pdf] Imiyalelo
I-TLS, uKhuseleko loMaleko wezoThutho, uKhuseleko loMaleko, i-TLS, iNqanaba lezoThutho

Iimbekiselo

Incwadi yokusebenzisa

Intshayelelo ye-TLS