The OpenIMSCore P-CSCF is capable of TLS encrypted connections over the Gm interface.

To enable TLS, the configuration script pcscf.cfg must be modified according to the commented lines. Please check this FAQ for more information on how make your P-CSCF TLS ready.

The TLS User Endpoint does not need a valid certificate, only the P-CSCF server must provide one. In order for the User Endpoint to fully validate the P-CSCF identity, the P-CSCF must probably have a valid signed certificate not a selfsigned one (like tls_prepare.sh script generates).

To test TLS we needed to slightly change SIPp. Here you can find SIPp with this patch applied. Mainly the modifications were required in order to support different SIPp instances for first and second REGISTER.

Remember that for TLS support, SIPp must be compiled with ossl option (make ossl)!

To register via TLS, we use 2 XML scenario files (scenarios/regbob.xml and scenarios/regbob2.xml) with 2 different instances of SIPp, as following :

• The first SIPp instance sends a plain text REGISTER over UDP, with Security-Client set to tls.
• The second SIPp instance handshakes a tls connection to P-CSCF port 4061. The Security-Verify headeris set to the value received in Security-Server header.

A TLS secure connection can be established from the first REGISTER as well(runTLS2.sh script with regbob_tls.xls scenarion file), but OpenIMSCore provides full flexibility according to 3GPP specifications. Find attached a wireshark trace for this scenario (tls_from_begining.pcap) as well.

After a successful REGISTER over a TLS secure connection, any subsequent REGISTER will be marked as being integrity protected.

You can check the attached wireshark trace (tls.pcap) to see the full scenario dump.