Session Manager applies the following validations for SIP Transport Layer Security (TLS) connections:
During a TLS handshake, the Identity Certificate of the SIP Entity is validated against the trusted CA certificate repository in the Session Manager for SIP TLS connections. If this mutual TLS authentication fails, Session Manager does not accept the connection.
Note:
With Session Manager, you can enforce certificate validation for SIP endpoints. Session Manager establishes the connection with the SIP endpoints based on the settings in the TLS Endpoint Certificate Validation field.
If the mutual TLS authentication is successful, Session Manager performs further validation on the SIP entity Identity Certificate as per the Credential Name or the far-end IP address.
If the Credential Name string is empty, the connection is accepted.
If the Credential Name string is not empty, the Credential Name and the IP address of the far-end is searched for in the following fields in the identity certificate provided by the SIP entity:
CN value from the subject.
subjectAltName.dNSName.
subjectAltName.uniformResourceIdentifier. For IP address comparison, the IP address string is converted to SIP:W.X.Y.Z before comparison. W.X.Y.Z is the remote socket IPV4 address. The search is case-insensitive.
