Goal

Routing of inter domain sessions over a TLS encrypted link between a SER and an OpenSER proxy 

Applicability

Inter-domain SIP routing over TLS. We enable end-users of domain A to communicate with end-users in domain B over their home proxy to the proxy of domain B. All connections use TLS:

      User Agent A   ->   proxy domainA   ->   proxy domainB   ->   User Agent B

Prerequisites

Configuration  

If both proxies have enabled TLS and clients let you add the sips: "prefix" you don't need to add special routing logic to cfg. Even if client itself does'n use TLS it can work (EyeBeam - TCP – > OB SER – TLS – >SER – ?? - > client)
Remember that TLS is done only on hop by hop basis.
To be sure or to define tls peers you need to do following:

If encryption of the SIP messages is enough for you and no mutual verification of the servers is necessary, you can change:
tls_verify_server = 0

OpenSER proxy configuration:

        # check for requests targeted out of our domain
        if (!uri==myself) {
                # mark routing logic in request
                append_hf("P-hint: outbound\r\n");
                # destination DomainA
                if(uri=~"@domainA.net") {
                        t_relay("tls:sipserver.domainA.net:5061");
                        xlog("L_INFO", "Time [%Tf] Route to ces.net :%rm RURI:%ru  FROM:%fu TO:%tu \n");
                        exit;
                }
                route(1);
        };

SER proxy configuration:

         if (!uri==myself) {
		# mark routing logic in request
		append_hf("P-hint: outbound\r\n");

                # route domainB over TLS
		if (uri=~".*@domainB") {

			if (t_relay_to_tls("sip.domainB","5061")) {
				xlog("L_INFO","TLS DomainB Method: %rm RURI: \n  ");
			}
			else {sl_reply_error();}
    			break;
		}
		route(FORWARD);
		break;
	}

SIP vs SIPS

If you want to test sips vs sip behaviour with defined tls peers try to set routing rule like this

                if (uri=~"^sip:.*@domianB"){
                        if (t_relay_to_tls("domainB","5061")) {
                        xlog("L_INFO","TLS Message to sipx1.ces.net\n ");
                        }
                        else {sl_reply_error();}
                        break;
                }

This will apply only to sip uri and sips will be routed by default t_relay (and DNS SRV _sips._tcp or DNS A with port 5061, ....)

Validation, confirmation tests

OS specific help

Reminder: this example is based on a compiled version of openSER where the config is in /usr/local/etc/openser and the certificates are in /usr/local/etc/openser/tls/user, which might differ when installed from packages.