/
Switchvox - What do I need to know about TLS and SRTP in Switchvox?

Switchvox - What do I need to know about TLS and SRTP in Switchvox?

Table of Contents

Version 7.3.1 introduced the ability to enable TLS on Switchvox extensions.  Below is a list of information that will help you understand what TLS is, how to enable or disable it in Switchvox, and steps to troubleshoot issues reported with TLS.

What is TLS, it's Requirements, and Recommendations:

  • TLS can be enabled on

    • Sangoma phones.

    • Sangoma Connect Mobile 

  • The customer is required to have a valid third party certificate (self-signed certificates will not work).

  • Customers needs to open port TCP 5061 in order for TLS enabled phones to register to the PBX.

  • Sangoma IP Phones with TLS will only configure the 1st line, additional lines would use non-TLS connections. 

  • When TLS is enabled, a Shield icon will appear next to the icon of the line key as well as on the call card when placing a call.

  • Enabling TLS encrypts the SIP messages and media (known as Secure RTP or SRTP).

  • TLS increases the CPU usage around 25%. Therefore, customers who are near the max capacity of the system should be careful enabling this feature.

  • Support does not recommend to enable TLS on internal phones due to the CPU requirement increase, TLS is recommended on external phones

  • You can enable TLS by going to Setup > Extensions Manage > Modify the Extension > Phone Settings Tab > Sangoma Phones > Advanced Settings.

Troubleshooting reported TLS issues:

  • Wireshark cannot decode TLS nor SRTP due to the encryption method used. 

  • In order to troubleshoot SIP issues with TLS enabled, You need to use ACLI captures with SIP Messages toggle ON.

  • In order to troubleshoot Audio issues with TLS enabled, you need to enable recording on the system (Tools > Call Recordings).

  • The TLS feature can be disabled per extension, this means that you can disabled TLS on a particular extension to do troubleshooting and the regular process (take a PCAP and Wireshark will apply).  This is important to disable TLS to know for certain if the issue being reported is specific to TLS, or also affects non-encrypted SIP/RTP as well and does not need to be escalated to JIRA.

  • When Escalating TLS issues, you are required to provide ACLI capture with SIP enabled (and have it attached to the case).

Return to Documentation Home | Sangoma Support