TLS and SRTP
Â
There are a few prerequisites that must be satisfied before setting up your Sangoma Phones to use TLS/SRTP on your FreePBXÂ install:
FreePBX >= 14Â
An FQDN must be assigned and resolve properly on your PBX.
A commercial certificate must be properly created and installed on your PBX ( see Certificate Management User Guide )
insure all modules are up to date - fwconsole ma upgradeallÂ
insure your phones are using latest firmware - Phone Firmware Release Notes
Document will assume at this point you are using pjsip only on default ports ...
Asterisk SIP settings
Â
Â
and on the pjsip specific tab
Â
Â
Once the prerequisites above are met then you will start by enabling TLS/SSL/SRTP in Asterisk SIP Settings pjsip
Choose the Certificate to use.  Certificates are setup in Certificate Manager module on your PBX.
Set SSL Method to use Default
Set Verify Client and Verify Server to yes
Â
Â
IMPORTANT NOTE:Â D series phones are very strict with the certificate issues, they will fail to perform the TLS handshake if the default SSL method is in use. S series won't complain on the other hand.Â
If using D series phones, make sure to set SSL method to either tlsv1_1 or tlsv1_2.Â
Selecting the default option here will make the phone abort the TLS handshake with the following errors: EISSUER_MISMATCH or EUNTRUSTED
Extension settings
Next the Extension(s) you want to enable TLS ore SRTP for, under the advanced tab of the extension, enable TLS and SRTP as seen in the example below.
To enable TLS set the "Transport" to 0.0.0.0-tls to as shown below.  Â
To enable SRTP
Set Media Encryption to SRTP via in-SDP (Recommended)
Set Allow Non-Encrypted Media to No
Â
If you phone is already setup in EPM go rebuild the config for the extensions you want to use SRTP or TLS based on the settings you changed above and reboot the phones and they will now use SRTP and or TLS based on what you have defined in the extension page for each device.
Â