Secure Media uses encryption to ensure that the call media and associated signaling remains private during transmission. Transport Layer Security (TLS) provides encryption for SIP signaling. Secure Real-time Transport Protocol (SRTP) provides encryption for call content/media packets.
SRTP provides a framework for the encryption of RTP & RTCP. RFC 4568, Session Description Protocol (SDP) Security Description (SDES) for Media Streams, defines such a protocol specifically designed to exchange cryptographic material using a newly defined SDP crypto attribute.
You can enable or disable Secure Media in your SIP Domain. It is disabled by default.
You can expect the following:
AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32. Both may be included in an order of preference.Ensure you configure secure=true parameter as part of SIP URI to secure media in SIP outbound calls.
1<?xml version="1.0" encoding="UTF-8"?>2<Response>3<Dial>4<Sip>sip:jack@example.com;secure=true</Sip>5</Dial>6</Response>
The default port 5061 will be used for TLS.
AES_CM_128_HMAC_SHA1_80Asterisk ships by default with chan_sip driver and works well with Twilio. However, if you have some reason to run PJSIP driver with Asterisk, note the following:
Here is a guide to installing a non-bundled version of PJSIP. Change the version to 2.5.5 in the steps.
Asterisk 13.8 cert2 defaults to PJSIP 2.5 which will not work with Twilio for TLS/SRTP purposes. Non-encrypted calls will still work.
Make sure to use the latest PJSIP driver, which at this time is 2.5.5.
You may see following message in your log:
ERROR[10886]: pjproject:0 <?>: tlsc0x7f217c03 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
This message can be ignored.