Menu

Expand
Rate this page:

Secure Media

Secure Media uses encryption to ensure that the call media and associated signaling remains private during transmission. Transport Layer Security (TLS) provides encryption for SIP signaling. Secure Real-time Transport Protocol (SRTP) provides encryption for call content/media packets.

SRTP provides a framework for the encryption of RTP & RTCP. RFC 4568, Session Description Protocol (SDP) Security Description (SDES) for Media Streams, defines such a protocol specifically designed to exchange cryptographic material using a newly defined SDP crypto attribute.

Inbound:

You can enable or disable Secure Media in your SIP Domain. It is disabled by default.

You can expect the following:

  • Enabled: TLS must be used to encrypt SIP messages and SRTP must be used for the media packets. Any non-encrypted calls will be rejected.
  • Disabled: RTP must be used for media packets. SIP messages may be sent in the clear or using TLS. Any SRTP encrypted calls will be rejected.
  • SRTP supports the following crypyto suites: AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32. Both may be included in an order of preference.
  • The optional master key identifier (MKI) parameter is not supported

Outbound:

Ensure you configure secure=true parameter as part of SIP URI to secure media in SIP outbound calls.

<?xml version="1.0" encoding="UTF-8"?>
<Response>
  <Dial>
    <Sip>sip:jack@example.com;secure=true</Sip>
  </Dial>
</Response>

The default port 5061 will be used for TLS.

  • Only a single crypto suite for SRTP will be included: AES_CM_128_HMAC_SHA1_80
  • The optional master key identifier (MKI) parameter is not supported

Importing Twilio's Root CA Certificate

TLS is used to encrypt SIP signaling between SIP endpoints. In order for this to function properly, it is required that certain devices in your network import an SSL certificate. Twilio uses certificates from a CA (Certificate Authority). It is important that you add the following root certificate to your communications infrastructure to establish its authenticity on the network. Download Twilio's CA certificate.

It is important to note that Twilio uses a wildcard certificate which can be used for multiple subdomains of a domain (*.sip.twilio.com). If your network element does not support wild carded certificates please disable certificate validation.

TLS/SRTP support with Asterisk

Asterisk ships by default with chan_sip driver and works well with Twilio. However, if you have some reason to run PJSIP driver with Asterisk, please note the following:

Here is a guide to installing a non-bundled version of PJSIP. Change the version to 2.5.5 in the steps.

Asterisk 13.8 cert2 defaults to PJSIP 2.5 which will not work with Twilio for TLS/SRTP purposes. Non-encrypted calls will still work.

Make sure to use the latest PJSIP driver, which at this time is 2.5.5.

You may see following message in your log:

ERROR[10886]: pjproject:0 <?>: tlsc0x7f217c03 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!

This message can be ignored.

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.

        
        
        

        Thank you for your feedback!

        We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

        Sending your feedback...
        🎉 Thank you for your feedback!
        Something went wrong. Please try again.

        Thanks for your feedback!

        Refer us and get $10 in 3 simple steps!

        Step 1

        Get link

        Get a free personal referral link here

        Step 2

        Give $10

        Your user signs up and upgrade using link

        Step 3

        Get $10

        1,250 free SMSes
        OR 1,000 free voice mins
        OR 12,000 chats
        OR more