Call Encryption - TLS/SRTP
From VoIP.ms Wiki
This feature allows you to encrypt the communication between your device and our server, by using the SIP-TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol) protocol.
This adds a security layer when the packets are being transmitted between you and our server, it encapsulates and encrypt the transmission. In other words, when your device is configured with this encryption method, your device asks to our server a dedicated certificate to establish a trust and fully secure communication from each part.
This is ideal if you are using a softphone on a public network. (We strongly recommend you to use this function in this case.)
Once encrypted calls are enabled for your account or sub account, the SIP-TLS and SRTP must be used. Your account or sub account will no longer be able to use regular SIP communication method.
Activate This Option on Your Main Account
1) To active this feature go to your Customer portal home and click on “Main Menu” > “Account Settings”
2) Once you are in the “Account Settings” section, navigate through the submenu and go to “Advanced” and find the field “Encrypted SIP Traffic”, set to Yes and press Apply
Note: If enabled, all the SIP traffic will be encrypted for the main account. Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.
Activate This Option on Your Sub Account
1) You may also activate this feature on a sub account. You need to navigate through the navigation bar and select “Sub Accounts” > “Manage Sub accounts”.
- If you don't have a sub account yet, you can create one by clicking on the tab “Create Sub Account”
3) Once you are in the Edit screen, find the “Advanced Options” and “Click here to display”. Then set “Encrypted SIP Traffic” to Yes, and press Update Account
Note: If enabled, all SIP traffic calls will be encrypted for this sub account. Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.
Configuration on SIP Client
Once you have activated the feature on your main account/sub account, you need to configure your SIP client.
On some devices, you will have to configure some settings to enable the SIP-TLS communication method. In your settings you must select TLS as your transport protocol and activate media encryption or SRTP* as Mandatory*. Without mandatory media encryption*, this would result in a call rejection with the SIP error 488.
Some technical considerations that you need to know for using this feature. Please take note, when using encrypted calls with a server, you must always use the server name with a number at the end. For example, you must use chicago1.voip.ms instead of chicago.voip.ms.
When you are using the TLS protocol, it is implied to be using TCP as packet transport. The reason is using TLS over UDP is not supported by the TLS specification. The TLS by TCP will use the port 5061 instead of 5060. We also have an alternative port such as 5081 and 42873
*The configuration and the terminology may vary from each device/PBX.
*Take note; some SIP clients do not support the call encryption, in some cases is a paid feature, or is available only in the paid version.
Some old systems/devices require to configure the certificate manually. In case is needed, please contact technical support via live chat or email to email@example.com (from the email address associated to your account), requesting the client certificate and advising the SIP server.
NOTE: The certificate expires every 90 days, so requesting a new one every period will be necessary to keep call encryption working under these circumstances
To know more about that, please refer to the device configuration page or your device manual.
TLS/SRTP Registration Status Validation
When your device is fully registered by using SIP-TLS protocol, you will be able to see the registration status in the portal Home page “Main menu” > "Portal Home" for each account/sub account registered or in “Sub Accounts” > “Manage Sub accounts” tab to see all of your Sub Accounts registration status.
- It has been confirmed that ATA Obi100 does not support encrypted calls.