Encrypting SIP traffic from hosted EZproxy (stunnel vs. SSH tunnel)
Applies to
- Hosted EZproxy
Answer
Can OCLC hosted EZproxy use stunnel to TLS/SSL encrypt a SIP connection?
At this time, OCLC is not able to use stunnel from our hosted EZproxy environment. While stunnel can provide TLS encryption, it would require a TLS-capable client on the OCLC side. That would mean installing and operating stunnel on the hosted EZproxy server(s), which isn’t something we can support in our hosted environment.
Specifically, it would require OCLC to:
- Install additional software (stunnel) on the hosted servers
- Maintain and manage the stunnel configuration
- Handle certificate deployment/renewal and trust configuration
- Apply patches and updates for stunnel over time
- Implement monitoring/alerting and operational procedures to restart the service if it goes down
Because hosted EZproxy servers already include OpenSSH and we support SSH-based connectivity, the most practical and supportable approach is a public/private key-based SSH tunnel. This provides encryption for the SIP session without requiring additional software on the hosted EZproxy side.
If you provide (or host) a public-facing SSH endpoint, we can establish an SSH tunnel that forwards traffic to your SIP service on port 6000 (or whatever your remote_port is). The tunnel command would follow this pattern:
ssh -f -N -L 5000:<sip_server_internal_or_localhost>:remote_port <ssh_user>@<public_ssh_host>
Once the tunnel is up, EZproxy connects to localhost:5000, and the traffic is encrypted over SSH to your environment and forwarded to the SIP server/port you specify.
What we need:
- the public SSH hostname/IP and port,
- the SSH username,
- and whether the SIP destination should be localhost:remote_port (same host) or an internal SIP host/IP on your network