Jump to content
Vodia PBX forum
cwernstedt

How to check if TLS is actually used on SIP trunks?

Recommended Posts

Hi,

I have some SIP trunks to SIP/Voip providers: Skype and a Swiss provider (Winet.ch) .

I'm trying figure out how to achieve only TLS encrypted traffic on these connections.

I find it tricky as I can't force TLS (neither service responds to port 5061 ), but DNS SRV records seem to be used.

Is there a "best practice" way to make sure that only TLS is used?

Cheers,

Christian

Share this post


Link to post
Share on other sites

Hi,

 

Have you tried to set Provisioning Parameters settings (on domain > general settings) of "Outbound proxy pattern' to TLS and then provisioned your phone? In this manner, all your calls are encrypted using TLS.

Share this post


Link to post
Share on other sites

In the old days we had actually a setting on the trunk that had the PBX assume that they are secure (e.g. PSTN gateways that are sitting just next to the PBX) and we tried to promote the end-to-end encryption. Nobody cared. Honestly I don't know if the end-to-end encryption is still enforced. Anyway the phones would have to request it by using a sips Request-URI if I remember correctly.

Share this post


Link to post
Share on other sites

So it can't be enforced on the PBX itself? Incoming calls may not ultimately terminate on a phone but in a voice mail box or conference room...

 

With a cloud based PBX communicating across the globe to SIP providers, it seems crazy to not even know if one has RTP encryption or not..

Share this post


Link to post
Share on other sites

The old snom phone models had a way to send sips Request-URI. Not sure if other devices or soft phones can do that today; but this is (IMHO) the way to tell the PBX that this call should be encrypted. 

The other thing that you can try is ZRTP end-to-end encryption. The PBX also supports that. But then both endpoints need to support this; for SIP trunks this will be very difficult.

The VoIP security market is hard to understand. Lots of bla bla about VoIP security. We have tried a few things, even made our own firmware with ZRTP with elliptic curves for snom phone hardware; but the feedback was simple that there is no market for this at least from our perspective. The only thing that seems to sell are UDP-based SIP trunks. If you want to get all the traffic to a certain country, all you need to do is offer the lowest rates and users happily route all calls through your network, everything in plain RTP.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...