Snon-cli.site
Sign inGet a trunk
← Knowledge base
Integration · 3 min read

Enabling TLS signaling and SRTP media encryption

How to encrypt SIP and RTP between your softswitch and non-cli.site.

Availability

TLS+SRTP is available on all CLI tier trunks and on request for non-CLI. Adds roughly 10% to the per-minute rate.

Endpoints

  • TLS signaling: sip.non-cli.site:5061
  • SRTP media: negotiated via SDP, AES-128 SDES or DTLS-SRTP

Asterisk config

[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5061
cert_file = /etc/asterisk/keys/asterisk.crt
priv_key_file = /etc/asterisk/keys/asterisk.key
ca_list_file = /etc/asterisk/keys/ca-bundle.crt
method = tlsv1_2
verify_client = no
verify_server = yes

[noncli-trunk]
; ...existing config...
transport = transport-tls
media_encryption = sdes

And on the registration:

server_uri = sips:sip.non-cli.site:5061

FreeSWITCH

On the gateway add <param name="register-transport" value="tls"/> and set the profile to listen on 5061 with a valid cert.

Verifying

asterisk -rx "pjsip show registrations" should show transport tls. Wireshark on port 5060 should be empty; 5061 should show only TLS handshake then encrypted data.

Related in Integration

How to integrate a SIP trunk with Asterisk
Working pjsip.conf and extensions.conf for non-cli.site trunks, with non-CLI and CLI examples.
How to integrate a SIP trunk with FreeSWITCH
Gateway XML and dialplan for non-cli.site termination with optional CLI override.
Supported codecs, ports, and IP authentication
Network requirements for connecting to sip.non-cli.site and which codecs we negotiate.

Still stuck?

Open a ticket