Call Encryption - TLS/SRTP
From VoIP.ms Wiki
This feature allows you to encrypt the communication between your device and our server, by using the SIP-TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol) protocol.
This adds a security layer when the packet being transmitted between you and our server, it encapsulates and crypt the transmission. In other words, when your device is configured with this encryption method, your device asks to our server a dedicated certificate to establish a trust and fully secure communication from each part.
This is ideal if you are using a softphone on a public network. (We strongly recommend you to use this function in this case.)
Once encrypted calls are enabled for your account or sub account, the SIP-TLS and SRTP must be used. Your account or sub account will no longer be able to use regular SIP communication method.
Activate This Option on Your Main Account
1) To active this feature go to your main account by navigating through the “Main Menu” > “Account Settings”
2) Once you are in the “Account Settings” section, navigate through the submenu and go to “Advanced” and find the field “Encrypted SIP Traffic” to Yes, and press Apply
Note: If enabled, all the SIP traffic will be encrypted for the main account. Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.
Activate This Option on Your Sub Account
1) You may also activate this feature on a sub account. You need to navigate through the navigation bar and select “Sub Accounts” > “Manage Sub accounts”.
- If you don't have a sub account yet, you can create one by clicking on the tab “Create Sub Account”
3) Once you choose, your sub account or have created a new one. Find the “Advanced Options” and “Click here to display”. Then “Encrypted SIP Traffic” to Yes, and press Update Account
Note: If enabled, all SIP traffic calls will be encrypted for this sub account. Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.
Configuration on SIP Client
Now you have activated the feature on your main account/sub account you need to configure your SIP client.
On some device, you will have to configure some settings to enable the TLS-SIP communication method. In your settings you must select TLS as your transport protocol and activate media encryption or SRTP* as Mandatory. Without mandatory media encryption, this would result in a call rejection with the SIP error 488.
Some technical precisions that you need to know by using this feature. Please take note, when using encrypted calls with a server, you must always use the server name with a number at the end. For example, you must use chicago1.voip.ms instead of chicago.voip.ms.
This also applies to cities with only one server. For example, you select london.voip.ms in the portal, but write london1.voip.ms when you configure your device, softphone or PBX.
When you are using the TLS protocol, it is implied to using TCP as packet transport. The reason is using TLS over UDP is not supported by the TLS specification. The TLS by TCP will use the port 5061 instead of 5060. We also have an alternative port such as 5081 and 42873
*The configuration and the terminology may vary from each device/PBX.
*Take note; some SIP clients do not support the call encryption, in some cases is a paid feature, or is available only in the paid version.
To know more about that, please refer to the device configuration page or your device manual.
TLS/SRTP Registration state validation
When your device is fully registered by using SIP-TLS protocol, you will be able to see the registration status in the portal Home page “Main menu” > "Portal Home" for each account/sub account registered or in “Sub Accounts” > “Manage Sub accounts” tab to see all of your Sub Accounts registration status.