cwernstedt Posted September 19, 2017 Report Share Posted September 19, 2017 Hi, I have some SIP trunks to SIP/Voip providers: Skype and a Swiss provider (Winet.ch) . I'm trying figure out how to achieve only TLS encrypted traffic on these connections. I find it tricky as I can't force TLS (neither service responds to port 5061 ), but DNS SRV records seem to be used. Is there a "best practice" way to make sure that only TLS is used? Cheers, Christian Quote Link to comment Share on other sites More sharing options...
Support Posted September 19, 2017 Report Share Posted September 19, 2017 Hi, Have you tried to set Provisioning Parameters settings (on domain > general settings) of "Outbound proxy pattern' to TLS and then provisioned your phone? In this manner, all your calls are encrypted using TLS. Quote Link to comment Share on other sites More sharing options...
cwernstedt Posted September 19, 2017 Author Report Share Posted September 19, 2017 Hi, I haven't yet thought about how to secure phones and other user agents. Right now I'm primarily trying to secure traffic to and from SIP trunk providers. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 19, 2017 Report Share Posted September 19, 2017 In the old days we had actually a setting on the trunk that had the PBX assume that they are secure (e.g. PSTN gateways that are sitting just next to the PBX) and we tried to promote the end-to-end encryption. Nobody cared. Honestly I don't know if the end-to-end encryption is still enforced. Anyway the phones would have to request it by using a sips Request-URI if I remember correctly. Quote Link to comment Share on other sites More sharing options...
cwernstedt Posted September 20, 2017 Author Report Share Posted September 20, 2017 So it can't be enforced on the PBX itself? Incoming calls may not ultimately terminate on a phone but in a voice mail box or conference room... With a cloud based PBX communicating across the globe to SIP providers, it seems crazy to not even know if one has RTP encryption or not.. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 20, 2017 Report Share Posted September 20, 2017 The old snom phone models had a way to send sips Request-URI. Not sure if other devices or soft phones can do that today; but this is (IMHO) the way to tell the PBX that this call should be encrypted. The other thing that you can try is ZRTP end-to-end encryption. The PBX also supports that. But then both endpoints need to support this; for SIP trunks this will be very difficult. The VoIP security market is hard to understand. Lots of bla bla about VoIP security. We have tried a few things, even made our own firmware with ZRTP with elliptic curves for snom phone hardware; but the feedback was simple that there is no market for this at least from our perspective. The only thing that seems to sell are UDP-based SIP trunks. If you want to get all the traffic to a certain country, all you need to do is offer the lowest rates and users happily route all calls through your network, everything in plain RTP. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.