Files
freeswitch/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
T
Travis Cross 57abca11a8 Support setting TLS cipher suites in mod_sofia
This adds a parameter tls-ciphers in which we can specify the TLS
cipher suite specification for OpenSSL.
2014-02-06 06:04:02 +00:00

498 lines
24 KiB
XML

<configuration name="sofia.conf" description="sofia endpoint">
<global_settings>
<param name="log-level" value="0"/>
<param name="auto-restart" value="false"/>
<param name="debug-presence" value="0"/>
<!-- <param name="capture-server" value="udp:homer.example.com:5060"/> -->
</global_settings>
<profiles>
<!--
This is a sofia sip profile/user agent. This will service exactly one
ip and port. In FreeSWITCH you can run multiple sip user agents on
their own ip and port.
-->
<profile name="example">
<gateways>
<gateway name="example-gateway">
<!-- account username (required) -->
<param name="username" value="cluecon"/>
<!-- auth realm (same as gateway name, if blank) -->
<param name="realm" value="example.com"/>
<!-- username to use in from (same as username, if blank) -->
<param name="from-user" value="cluecon"/>
<!-- domain to use in from (same as realm, if blank) /// -->
<param name="from-domain" value="example.com"/>
<!-- account password (required) -->
<param name="password" value="xxxx"/>
<!-- extension for inbound calls (same as username, if blank) -->
<param name="extension" value="cluecon"/>
<!-- proxy host (same as realm, if blank) -->
<param name="proxy" value="example.com"/>
<!-- send register to this proxy (same as proxy, if blank) -->
<param name="register-proxy" value="example.com"/>
<!-- expire in seconds (3600, if blank) -->
<param name="expire-seconds" value="600"/>
<!-- do not register -->
<param name="register" value="false"/>
<!-- which transport to use for register -->
<param name="register-transport" value="tcp"/>
<!-- how many seconds before a retry when a failure or timeout occurs
-->
<param name="retry-seconds" value="30"/>
<!-- use the callerid of an inbound call in the from field on outbound
calls via this gateway -->
<param name="caller-id-in-from" value="false"/>
<!-- extra sip params to send in the contact -->
<param name="contact-params" value="tport=tcp"/>
<!-- put the extension in the contact -->
<param name="extension-in-contact" value="true"/>
<!-- send an options ping every x seconds, failure will unregister
and/or mark it down -->
<param name="ping" value="25"/>
<!-- callerid header mechanism -->
<param name="cid-type" value="rpid"/>
</gateway>
</gateways>
<aliases>
<!-- aliases are other names that will work as a valid profile name for
this profile -->
<alias name="default"/>
</aliases>
<domains>
<!-- indicator to parse the directory for domains with parse="true" to
get gateways -->
<!-- <domain name="$${domain}" parse="true"/> -->
<!-- indicator to parse the directory for domains with parse="true" to
get gateways and alias every domain to this profile -->
<!-- This may seem like just a configuration convenience, but
aliasing has real effects on the handling of packets. If
you're sharing a profile between multiple realms, you
want to alias all realms to the shared profile. -->
<!-- <domain name="all" alias="true" parse="true"/> -->
<domain name="all" alias="true" parse="false"/>
</domains>
<settings>
<!-- When calls are in no media this will bring them back to media when
you press the hold button. -->
<!-- <param name="media-option" value="resume-media-on-hold"/> -->
<!-- This will allow a call after an attended transfer go back to bypass
media after an attended transfer. -->
<!-- <param name="media-option" value="bypass-media-after-att-xfer"/> -->
<!-- bypass again when hold is complete -->
<!-- <param name="media-option" value="bypass-media-after-hold"/> -->
<!-- <param name="user-agent-string" value="FreeSWITCH Rocks!"/> -->
<param name="debug" value="0"/>
<!-- If you want FreeSWITCH to shutdown if this profile fails to load,
uncomment the next line. -->
<!-- <param name="shutdown-on-fail" value="true"/> -->
<param name="sip-trace" value="no"/>
<param name="sip-capture" value="no"/>
<!-- Use presence_map.conf.xml to convert extension regex to presence
protos for routing -->
<!-- <param name="presence-proto-lookup" value="true"/> -->
<!-- Don't be picky about negotiated DTMF just always offer 2833 and
accept both 2833 and INFO -->
<!-- <param name="liberal-dtmf" value="true"/> -->
<!--
Sometimes, in extremely rare edge cases, the Sofia SIP stack may
stop responding. These options allow you to enable and control a
watchdog on the Sofia SIP stack so that if it stops responding for
the specified number of milliseconds, it will cause FreeSWITCH to
crash immediately. This is useful if you run in an HA environment
and need to ensure automated recovery from such a condition. Note
that if your server is idle a lot, the watchdog may fire due to not
receiving any SIP messages. Thus, if you expect your system to be
idle, you should leave the watchdog disabled. It can be toggled on
and off through the FreeSWITCH CLI either on an individual profile
basis or globally for all profiles. So, if you run in an HA
environment with a master and slave, you should use the CLI to make
sure the watchdog is only enabled on the master.
If such crash occurs, FreeSWITCH will dump core if allowed. The
stacktrace will include function watchdog_triggered_abort().
-->
<param name="watchdog-enabled" value="no"/>
<param name="watchdog-step-timeout" value="30000"/>
<param name="watchdog-event-timeout" value="30000"/>
<param name="log-auth-failures" value="false"/>
<param name="forward-unsolicited-mwi-notify" value="false"/>
<param name="context" value="public"/>
<param name="rfc2833-pt" value="101"/>
<!-- port to bind to for sip traffic -->
<param name="sip-port" value="$${internal_sip_port}"/>
<param name="dialplan" value="XML"/>
<param name="dtmf-duration" value="2000"/>
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="outbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="rtp-timer-name" value="soft"/>
<!-- ip address to use for rtp, DO NOT USE HOSTNAMES ONLY IP ADDRESSES -->
<param name="rtp-ip" value="$${local_ip_v4}"/>
<!-- ip address to bind to, DO NOT USE HOSTNAMES ONLY IP ADDRESSES -->
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="hold-music" value="$${hold_music}"/>
<param name="apply-nat-acl" value="nat.auto"/>
<!-- (default true) set to false if you do not wish to have called party
info in 1XX responses -->
<!-- <param name="cid-in-1xx" value="false"/> -->
<!-- extended info parsing -->
<!-- <param name="extended-info-parsing" value="true"/> -->
<!-- <param name="aggressive-nat-detection" value="true"/> -->
<!-- There are known issues (asserts and segfaults) when 100rel is
enabled. It is not recommended to enable 100rel at this time. -->
<!-- <param name="enable-100rel" value="true"/> -->
<!-- uncomment if you don't wish to try a next SRV destination on 503
response -->
<!-- RFC3263 Section 4.3 -->
<!-- <param name="disable-srv503" value="true"/> -->
<!-- Enable Compact SIP headers. -->
<!-- <param name="enable-compact-headers" value="true"/> -->
<!-- enable/disable session timers -->
<!-- <param name="enable-timer" value="false"/> -->
<!-- <param name="minimum-session-expires" value="120"/> -->
<param name="apply-inbound-acl" value="domains"/>
<!-- This defines your local network, by default we detect your local
network and create this localnet.auto ACL for this. -->
<param name="local-network-acl" value="localnet.auto"/>
<!-- <param name="apply-register-acl" value="domains"/> -->
<!-- <param name="dtmf-type" value="info"/> -->
<!-- 'true' means every time 'first-only' means on the first register -->
<!-- <param name="send-message-query-on-register" value="true"/> -->
<!-- 'true' means every time 'first-only' means on the first register -->
<!-- <param name="send-presence-on-register" value="first-only"/> -->
<!-- Caller-ID type (choose one, can be overridden by inbound call type
and/or sip_cid_type channel variable -->
<!-- Remote-Party-ID header -->
<!-- <param name="caller-id-type" value="rpid"/> -->
<!-- P-*-Identity family of headers -->
<!-- <param name="caller-id-type" value="pid"/> -->
<!-- neither one -->
<!-- <param name="caller-id-type" value="none"/> -->
<param name="record-path" value="$${recordings_dir}"/>
<param name="record-template" value="${caller_id_number}.${target_domain}.${strftime(%Y-%m-%d-%H-%M-%S)}.wav"/>
<!-- enable to use presence -->
<param name="manage-presence" value="true"/>
<!-- send a presence probe on each register to query devices to send
presence instead of sending presence with less info -->
<!-- <param name="presence-probe-on-register" value="true"/> -->
<!-- <param name="manage-shared-appearance" value="true"/> -->
<!-- used to share presence info across sofia profiles -->
<!-- Name of the db to use for this profile -->
<!-- <param name="dbname" value="share_presence"/> -->
<param name="presence-hosts" value="$${domain},$${local_ip_v4}"/>
<param name="presence-privacy" value="$${presence_privacy}"/>
<!-- This setting is for AAL2 bitpacking on G726 -->
<!-- <param name="bitpacking" value="aal2"/> -->
<!-- max number of open dialogs in proceeding -->
<!-- <param name="max-proceeding" value="1000"/> -->
<!-- session timers for all call to expire after the specified seconds -->
<!-- <param name="session-timeout" value="1800"/> -->
<!-- Can be 'true' or 'contact' -->
<!-- <param name="multiple-registrations" value="contact"/> -->
<!-- set to 'greedy' if you want your codec list to take precedence -->
<param name="inbound-codec-negotiation" value="generous"/>
<!-- if you want to send any special bind params of your own -->
<!-- <param name="bind-params" value="transport=udp"/> -->
<!-- <param name="unregister-on-options-fail" value="true"/> -->
<!-- Send an OPTIONS packet to all registered endpoints -->
<!--<param name="all-reg-options-ping" value="true"/>-->
<!-- Send an OPTIONS packet to NATed registered endpoints. Can be 'true' or 'udp-only
<!--<param name="nat-options-ping" value="true"/>-->
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="$${internal_ssl_enable}"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS
port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. (5061 will be used if
unspecified) -->
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed
for TLS server) -->
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
<!-- Optionally set the passphrase password used by openSSL to
encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other
servers (outbound) or handling inbound registration/invite requests
how should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only
verify outgoing connections, 'all' to verify all connections, also
'in_subjects', 'out_subjects' and 'all_subjects' for subject
validation. Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS
certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- If the tls-verify-policy is set to subjects_all or subjects_in this
sets which subjects are allowed, multiple subjects can be split
with a '|' pipe -->
<param name="tls-verify-in-subjects" value=""/>
<!-- Set the OpenSSL cipher suite list -->
<!-- <param name="tls-ciphers" value="!aNULL:!LOW:!EXP:!kECDH:!ECDSA:!DSS:!PSK:!SRP:ALL"/> -->
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<!-- TLS maximum session lifetime -->
<!-- <param name="tls-timeout" value="300"/> -->
<!-- turn on auto-flush during bridge (skip timer sleep when the socket
already has data) (reduces delay on latent connections default
true, must be disabled explicitly) -->
<!-- <param name="rtp-autoflush-during-bridge" value="false"/> -->
<!-- If you don't want to pass through timestamps from 1 RTP call to
another (on a per call basis with rtp_rewrite_timestamps chanvar)
-->
<!-- <param name="rtp-rewrite-timestamps" value="true"/> -->
<!-- <param name="pass-rfc2833" value="true"/> -->
<!-- If you have ODBC support and a working dsn you can use it instead
of SQLite -->
<!-- <param name="odbc-dsn" value="dsn:user:pass"/> -->
<!-- Uncomment to set all inbound calls to no media mode -->
<!-- <param name="inbound-bypass-media" value="true"/> -->
<!-- Uncomment to set all inbound calls to proxy media mode -->
<!-- <param name="inbound-proxy-media" value="true"/> -->
<!-- Let calls hit the dialplan before selecting codec for the a-leg -->
<param name="inbound-late-negotiation" value="true"/>
<!-- Allow ZRTP clients to negotiate end-to-end security associations (also enables late negotiation) -->
<param name="inbound-zrtp-passthru" value="true"/>
<!-- this lets anything register -->
<!-- comment the next line and uncomment one or both of the other 2
lines for call authentication -->
<!-- <param name="accept-blind-reg" value="true"/> -->
<!-- accept any authentication without actually checking (not a good
feature for most people) -->
<!-- <param name="accept-blind-auth" value="true"/> -->
<!-- suppress CNG on this profile or per call with the 'suppress_cng'
variable -->
<!-- <param name="suppress-cng" value="true"/> -->
<!-- TTL for nonce in sip auth -->
<param name="nonce-ttl" value="60"/>
<!-- Uncomment if you want to force the outbound leg of a bridge to only
offer the codec that the originator is using -->
<!-- <param name="disable-transcoding" value="true"/> -->
<!-- Handle 302 Redirect in the dialplan -->
<!-- <param name="manual-redirect" value="true"/> -->
<!-- Disable Transfer -->
<!-- <param name="disable-transfer" value="true"/> -->
<!-- Disable Register -->
<!-- <param name="disable-register" value="true"/> -->
<!-- Used for when phones respond to a challenged ACK with method INVITE
in the hash -->
<!-- <param name="NDLB-broken-auth-hash" value="true"/> -->
<!-- add a ;received="<ip>:<port>" to the contact when replying to
register for nat handling -->
<!-- <param name="NDLB-received-in-nat-reg-contact" value="true"/> -->
<param name="auth-calls" value="$${internal_auth_calls}"/>
<!-- <param name="auth-messages" value="false"/> -->
<!-- Force the user and auth-user to match. -->
<param name="inbound-reg-force-matching-username" value="true"/>
<!-- on authed calls, authenticate *all* the packets not just invite -->
<param name="auth-all-packets" value="false"/>
<!-- external_sip_ip
Used as the public IP address for SDP.
Can be an one of:
ip address - "12.34.56.78"
a stun server lookup - "stun:stun.server.com"
a DNS name - "host:host.server.com"
auto - Use guessed ip.
auto-nat - Use ip learned from NAT-PMP or UPNP
-->
<param name="ext-rtp-ip" value="auto-nat"/>
<param name="ext-sip-ip" value="auto-nat"/>
<!-- rtp inactivity timeout -->
<param name="rtp-timeout-sec" value="300"/>
<param name="rtp-hold-timeout-sec" value="1800"/>
<!-- VAD choose one (out is a good choice); -->
<!-- <param name="vad" value="in"/> -->
<!-- <param name="vad" value="out"/> -->
<!-- <param name="vad" value="both"/> -->
<!-- <param name="alias" value="sip:10.0.1.251:5555"/> -->
<!--
These are enabled to make the default config work better out of the
box. If you need more than ONE domain you'll need to not use these
options.
-->
<!-- all inbound reg will look in this domain for the users -->
<param name="force-register-domain" value="$${domain}"/>
<!-- force the domain in subscriptions to this value -->
<param name="force-subscription-domain" value="$${domain}"/>
<!-- all inbound reg will stored in the db using this domain -->
<param name="force-register-db-domain" value="$${domain}"/>
<!-- <param name="delete-subs-on-register" value="false"/> -->
<!-- launch a new thread to process each new inbound register when using heavier backends -->
<!-- <param name="inbound-reg-in-new-thread" value="true"/> -->
<!-- enable rtcp on every channel also can be done per leg basis with
rtcp_audio_interval_msec variable set to passthru to pass it across
a call -->
<!-- <param name="rtcp-audio-interval-msec" value="5000"/> -->
<!-- <param name="rtcp-video-interval-msec" value="5000"/> -->
<!-- force suscription expires to a lower value than requested -->
<!-- <param name="force-subscription-expires" value="60"/> -->
<!-- add a random deviation to the expires value of the 202 Accepted -->
<!--<param name="sip-subscription-max-deviation" value="120"/>-->
<!-- disable register and transfer which may be undesirable in a public
switch -->
<!-- <param name="disable-transfer" value="true"/> -->
<!-- <param name="disable-register" value="true"/> -->
<!--
enable-3pcc can be set to either 'true' or 'proxy', true accepts
the call right away, proxy waits until the call has been answered
then sends accepts
-->
<!-- <param name="enable-3pcc" value="true"/> -->
<!-- use at your own risk or if you know what this does. -->
<!-- <param name="NDLB-force-rport" value="true"/> -->
<!--
Choose the realm challenge key. Default is auto_to if not set.
auto_from - uses the from field as the value for the sip realm.
auto_to - uses the to field as the value for the sip realm.
<anyvalue> - you can input any value to use for the sip realm.
If you want URL dialing to work you'll want to set this to auto_from.
If you use any other value besides auto_to or auto_from you'll loose
the ability to do multiple domains.
Note: comment out to restore the behavior before 2008-09-29
-->
<param name="challenge-realm" value="auto_from"/>
<!-- <param name="disable-rtp-auto-adjust" value="true"/> -->
<!-- on inbound calls make the uuid of the session equal to the sip call
id of that call -->
<!-- <param name="inbound-use-callid-as-uuid" value="true"/> -->
<!-- on outbound calls set the callid to match the uuid of the session
-->
<!-- <param name="outbound-use-uuid-as-callid" value="true"/> -->
<!-- set to false disable this feature -->
<!-- <param name="rtp-autofix-timing" value="false"/> -->
<!-- set this param to false if your gateway for some reason hates X-
headers that it is supposed to ignore -->
<!-- <param name="pass-callee-id" value="false"/> -->
<!-- clear clears them all or supply the name to add or the name
prefixed with ~ to remove valid values:
clear
CISCO_SKIP_MARK_BIT_2833
SONUS_SEND_INVALID_TIMESTAMP_2833
-->
<!-- <param name="auto-rtp-bugs" data="clear"/> -->
<!-- the following can be used as workaround with bogus SRV/NAPTR
records -->
<!-- <param name="disable-srv" value="false" /> -->
<!-- <param name="disable-naptr" value="false" /> -->
<!-- The following can be used to fine-tune timers within sofia's
transport layer Those settings are for advanced users and can
safely be left as-is -->
<!-- Initial retransmission interval (in milliseconds).
Set the T1 retransmission interval used by the SIP transaction
engine.
The T1 is the initial duration used by request retransmission
timers A and E (UDP) as well as response retransmission timer G.
-->
<!-- <param name="timer-T1" value="500" /> -->
<!-- Transaction timeout (defaults to T1 * 64).
Set the T1x64 timeout value used by the SIP transaction engine.
The T1x64 is duration used for timers B, F, H, and J (UDP) by the
SIP transaction engine.
The timeout value T1x64 can be adjusted separately from the initial
retransmission interval T1. -->
<!-- <param name="timer-T1X64" value="32000" /> -->
<!-- Maximum retransmission interval (in milliseconds).
Set the maximum retransmission interval used by the SIP transaction
engine.
The T2 is the maximum duration used for the timers E (UDP) and G by
the SIP transaction engine.
Note that the timer A is not capped by T2. Retransmission interval
of INVITE requests grows exponentially until the timer B fires.
-->
<!-- <param name="timer-T2" value="4000" /> -->
<!--
Transaction lifetime (in milliseconds).
Set the lifetime for completed transactions used by the SIP
transaction engine.
A completed transaction is kept around for the duration of T4 in
order to catch late responses.
The T4 is the maximum duration for the messages to stay in the
network and the duration of SIP timer K. -->
<!-- <param name="timer-T4" value="4000" /> -->
<!-- Turn on a jitterbuffer for every call -->
<!-- <param name="auto-jitterbuffer-msec" value="60"/> -->
<!-- By default mod_sofia will ignore the codecs in the sdp for
hold/unhold operations Set this to true if you want to actually
parse the sdp and re-negotiate the codec during hold/unhold. It's
probably not what you want so stick with the default unless you
really need to change this.
-->
<!-- <param name="renegotiate-codec-on-hold" value="true"/> -->
</settings>
</profile>
</profiles>
</configuration>