TLS and SRTP

There are a few prerequisites that must be satisfied before setting up your Sangoma Phones to use TLS/SRTP on your FreePBX install:

• FreePBX >= 14 

• An FQDN must be assigned and resolve properly on your PBX.

• A commercial certificate must be properly created and installed on your PBX ( see Certificate Management User Guide )

• insure all modules are up to date - fwconsole ma upgradeall 

• insure your phones are using latest firmware  - Phone Firmware Release Notes

Document will assume at this point you are using pjsip only on default ports  ...

Asterisk SIP settings

Open

and on the pjsip specific tab

Open

• Once the prerequisites above are met then you will start by enabling TLS/SSL/SRTP in Asterisk SIP Settings pjsip

  • Choose the Certificate to use.  Certificates are setup in Certificate Manager module on your PBX.

  • Set SSL Method to use Default

  • Set Verify Client and Verify Server to yes

     

     

    IMPORTANT NOTE: D series phones are very strict with the certificate issues, they will fail to perform the TLS handshake if the default SSL method is in use. S series won't complain on the other hand. 
    If using D series phones, make sure to set SSL method to either tlsv1_1 or tlsv1_2. 
    Selecting the default option here will make the phone abort the TLS handshake with the following errors: EISSUER_MISMATCH or EUNTRUSTED

    
    
    

Extension settings

• Next the Extension(s) you want to enable TLS ore SRTP for, under the advanced tab of the extension, enable TLS and SRTP as seen in the example below.

• To enable TLS set the "Transport" to 0.0.0.0-tls to as shown below.    

  • To enable SRTP

  • Set Media Encryption to SRTP via in-SDP (Recommended)

  • Set Allow Non-Encrypted Media to No