freeswitch/conf/vanilla/sip_profiles/external-ipv6.xml

<profile name="external-ipv6">
  <!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->
  <!-- This profile is only for outbound registrations to providers -->
  <gateways>
    <X-PRE-PROCESS cmd="include" data="external-ipv6/*.xml"/>
  </gateways>

  <aliases>
    <!--
        <alias name="outbound"/>
        <alias name="nat"/>
    -->
  </aliases>

  <domains>
    <!--<domain name="all" alias="false" parse="true"/>-->
  </domains>

  <settings>
    <param name="debug" value="0"/>
    <!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->
    <!-- <param name="shutdown-on-fail" value="true"/> -->
    <param name="sip-trace" value="no"/>
    <param name="sip-capture" value="no"/>
    <param name="rfc2833-pt" value="101"/>
    <!-- RFC 5626 : Send reg-id and sip.instance -->
    <!--<param name="enable-rfc-5626" value="true"/> -->
    <param name="sip-port" value="$${external_sip_port}"/>
    <param name="dialplan" value="XML"/>
    <param name="context" value="public"/>
    <param name="dtmf-duration" value="2000"/>
    <param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
    <param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>
    <param name="hold-music" value="$${hold_music}"/>
    <param name="rtp-timer-name" value="soft"/>
    <!--<param name="enable-100rel" value="true"/>-->
    <!--<param name="disable-srv503" value="true"/>-->
    <!-- This could be set to "passive" -->
    <param name="local-network-acl" value="localnet.auto"/>
    <param name="manage-presence" value="false"/>

    <!-- used to share presence info across sofia profiles
         manage-presence needs to be set to passive on this profile
         if you want it to behave as if it were the internal profile
         for presence.
    -->
    <!-- Name of the db to use for this profile -->
    <!--<param name="dbname" value="share_presence"/>-->
    <!--<param name="presence-hosts" value="$${domain}"/>-->
    <!--<param name="force-register-domain" value="$${domain}"/>-->
    <!--all inbound reg will stored in the db using this domain -->
    <!--<param name="force-register-db-domain" value="$${domain}"/>-->
    <!-- ************************************************* -->

    <!--<param name="aggressive-nat-detection" value="true"/>-->
    <param name="inbound-codec-negotiation" value="generous"/>
    <param name="nonce-ttl" value="60"/>
    <param name="auth-calls" value="false"/>
    <param name="inbound-late-negotiation" value="true"/>
    <param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->
    <!--
        DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!
    -->
    <param name="rtp-ip" value="$${local_ip_v6}"/>
    <param name="sip-ip" value="$${local_ip_v6}"/>
    <!-- Shouldn't set these on IPv6 -->
    <!--<param name="ext-rtp-ip" value="auto-nat"/>-->
    <!--<param name="ext-sip-ip" value="auto-nat"/>-->
    <param name="rtp-timeout-sec" value="300"/>
    <param name="rtp-hold-timeout-sec" value="1800"/>
    <!--<param name="enable-3pcc" value="true"/>-->

    <!-- TLS: disabled by default, set to "true" to enable -->
    <param name="tls" value="$${external_ssl_enable}"/>
    <!-- Set to true to not bind on the normal sip-port but only on the TLS port -->
    <param name="tls-only" value="false"/>
    <!-- additional bind parameters for TLS -->
    <param name="tls-bind-params" value="transport=tls"/>
    <!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->
    <param name="tls-sip-port" value="$${external_tls_port}"/>
    <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
    <!--<param name="tls-cert-dir" value=""/>-->
    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
    <param name="tls-passphrase" value=""/>
    <!-- Verify the date on TLS certificates -->
    <param name="tls-verify-date" value="true"/>
    <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '|' pipe -->
    <param name="tls-verify-policy" value="none"/>
    <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
    <param name="tls-verify-depth" value="2"/>
    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
    <param name="tls-verify-in-subjects" value=""/>
    <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
    <param name="tls-version" value="$${sip_tls_version}"/>
  </settings>
</profile>
External ipv6 2014-06-16 19:10:42 -04:00			`<profile name="external-ipv6">`
			`<!-- http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files -->`
			`<!-- This profile is only for outbound registrations to providers -->`
			`<gateways>`
make vanilla configuration gateways easier to understand for new users having the same gateway definition bound to the ipv6 and ipv4 external profiles caused confusion for some new users. Also having a gateway bound to the internal profile was a bit confusing. fs-6859 2014-09-25 14:05:44 -04:00			`<X-PRE-PROCESS cmd="include" data="external-ipv6/*.xml"/>`
External ipv6 2014-06-16 19:10:42 -04:00			`</gateways>`

			`<aliases>`
			`<!--`
			`<alias name="outbound"/>`
			`<alias name="nat"/>`
			`-->`
			`</aliases>`

			`<domains>`
FS-8363 don't register gateways from directory, this exposes a bug where it registers over what appears to be ipv6 but doens't work correctly 2015-10-19 15:49:05 -04:00			`<!--<domain name="all" alias="false" parse="true"/>-->`
External ipv6 2014-06-16 19:10:42 -04:00			`</domains>`

			`<settings>`
			`<param name="debug" value="0"/>`
			`<!-- If you want FreeSWITCH to shutdown if this profile fails to load, uncomment the next line. -->`
			`<!-- <param name="shutdown-on-fail" value="true"/> -->`
			`<param name="sip-trace" value="no"/>`
			`<param name="sip-capture" value="no"/>`
			`<param name="rfc2833-pt" value="101"/>`
			`<!-- RFC 5626 : Send reg-id and sip.instance -->`
			`<!--<param name="enable-rfc-5626" value="true"/> -->`
			`<param name="sip-port" value="$${external_sip_port}"/>`
			`<param name="dialplan" value="XML"/>`
			`<param name="context" value="public"/>`
			`<param name="dtmf-duration" value="2000"/>`
			`<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>`
			`<param name="outbound-codec-prefs" value="$${outbound_codec_prefs}"/>`
			`<param name="hold-music" value="$${hold_music}"/>`
			`<param name="rtp-timer-name" value="soft"/>`
			`<!--<param name="enable-100rel" value="true"/>-->`
			`<!--<param name="disable-srv503" value="true"/>-->`
			`<!-- This could be set to "passive" -->`
			`<param name="local-network-acl" value="localnet.auto"/>`
			`<param name="manage-presence" value="false"/>`

			`<!-- used to share presence info across sofia profiles`
			`manage-presence needs to be set to passive on this profile`
			`if you want it to behave as if it were the internal profile`
			`for presence.`
			`-->`
			`<!-- Name of the db to use for this profile -->`
			`<!--<param name="dbname" value="share_presence"/>-->`
			`<!--<param name="presence-hosts" value="$${domain}"/>-->`
			`<!--<param name="force-register-domain" value="$${domain}"/>-->`
			`<!--all inbound reg will stored in the db using this domain -->`
			`<!--<param name="force-register-db-domain" value="$${domain}"/>-->`
			`<!-- ************************************************* -->`

			`<!--<param name="aggressive-nat-detection" value="true"/>-->`
			`<param name="inbound-codec-negotiation" value="generous"/>`
			`<param name="nonce-ttl" value="60"/>`
			`<param name="auth-calls" value="false"/>`
			`<param name="inbound-late-negotiation" value="true"/>`
			`<param name="inbound-zrtp-passthru" value="true"/> <!-- (also enables late negotiation) -->`
			`<!--`
			`DO NOT USE HOSTNAMES, ONLY IP ADDRESSES IN THESE SETTINGS!`
			`-->`
			`<param name="rtp-ip" value="$${local_ip_v6}"/>`
			`<param name="sip-ip" value="$${local_ip_v6}"/>`
FS-7917 #resolve Fixed default config, original patch was correct but we really shouldn't be setting ext-*-ip settings for ipv6 profiles 2015-07-30 12:45:46 -04:00			`<!-- Shouldn't set these on IPv6 -->`
			`<!--<param name="ext-rtp-ip" value="auto-nat"/>-->`
			`<!--<param name="ext-sip-ip" value="auto-nat"/>-->`
External ipv6 2014-06-16 19:10:42 -04:00			`<param name="rtp-timeout-sec" value="300"/>`
			`<param name="rtp-hold-timeout-sec" value="1800"/>`
			`<!--<param name="enable-3pcc" value="true"/>-->`

			`<!-- TLS: disabled by default, set to "true" to enable -->`
			`<param name="tls" value="$${external_ssl_enable}"/>`
			`<!-- Set to true to not bind on the normal sip-port but only on the TLS port -->`
			`<param name="tls-only" value="false"/>`
			`<!-- additional bind parameters for TLS -->`
			`<param name="tls-bind-params" value="transport=tls"/>`
			`<!-- Port to listen on for TLS requests. (5081 will be used if unspecified) -->`
			`<param name="tls-sip-port" value="$${external_tls_port}"/>`
			`<!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->`
			`<!--<param name="tls-cert-dir" value=""/>-->`
			`<!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->`
			`<param name="tls-passphrase" value=""/>`
			`<!-- Verify the date on TLS certificates -->`
			`<param name="tls-verify-date" value="true"/>`
			`<!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->`
Fix docs on enabling cert CN/SAN validation The correct incantations to enable certification common name / subject alternative name verification, per our code, are `subjects_all`, `subjects_in`, and `subjects_out` in a Sofia profile's `tls-verify-policy`. What we've had in our examples and documentation for years are `all_subjects`, `in_subjects`, and `out_subjects`. The result of this is that we've almost certainly confused people into using the incorrect forms. Those poor people will believe that they are verifying the CN/SAN of the received host certificate against the list in `tls-verify-in-subjects` when in fact they are not. One clear issue in this case was that the incorrect forms failed to have any effect without providing any warning or error. This issue could not have persisted if we had made more noise about incorrect input. Given how long this has been broken, it's tempting to alias the incorrect forms to the correct ones. However this would certainly break many existing installations that have, because of this error, never actually tested their setup with CN/SAN validation enabled. In this commit, we fix the examples and documentation, and add an error-level log output when unknown values are passed to `tls-verify-policy`. Thanks-to: Andrew Patrikalakis <anrp+freeswitch@anrp.net> 2015-05-26 10:01:31 -04:00			`<!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'subjects_in', 'subjects_out' and 'subjects_all' for subject validation. Multiple policies can be split with a '\|' pipe -->`
External ipv6 2014-06-16 19:10:42 -04:00			`<param name="tls-verify-policy" value="none"/>`
			`<!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->`
			`<param name="tls-verify-depth" value="2"/>`
			`<!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '\|' pipe -->`
			`<param name="tls-verify-in-subjects" value=""/>`
			`<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->`
			`<param name="tls-version" value="$${sip_tls_version}"/>`
			`</settings>`
			`</profile>`