Newb: TLS/sRTP question

Per an earlier about sRTP, the more I research, the more I realize I don’t understand this. And I don’t seem to stumble on conversations that are rudimentary enough for people like me. I’m using Asterisk

1)If I set transport=tls in sip.conf, is my user/password info is secure via SSL without doing anything else? In other words, my device will not hookup unless it is using TLS, correct?

This is all I really need. I’m not overly concerned if the audio is unencrypted. While I don’t really need to encrypt the audio, I would prefer to do it, if I can get it working.

  1. Does sRTP only encrypt the audio info? Or do I need it and TLS to protect my user/password info?

  2. Is it possible to connect an extension that doesn’t use sRTP to one that does?

  3. Is it possible to Dial multiple extensions at once if some are sRTP and some are not?

I’ve setup an Android phone using TLS but I don’t have sRTP working (at least I don’t think). In sip.conf I have:
and in extensions.conf:
exten => 111,1,Dial(${KEV_CELL_TLS})

works but is my user/password safe?

To sip.conf I tried adding:
and to my dial plan I used:
exten => 111,1,NoOp(Testing SRTP)
same => n,Set(_SIP_SRTP_SDES=1)
same => n,Set(_SIPSRTP=1)
same => n,Set(_SIPSRTP_CRYPTO=enable)
same => n,Dial(${KEV_CELL_TLS})

and it quits working. I comment the “encryption=yes” out and it works again (But without SRTP I’m guessing).

Any advice about how this all works would be appreciated.



TLS and srtp are two different, but related animals. You can have tls without srtp but you can’t have true srtp without tls. Tls encrypts the sip setup messages where usernames, passwords, and srtp keys are exchanged. So, you can keep your username and passwords encrypted, but your audio path is still clear.

Srtp encrypts the audio stream, but without tls to encrypt the call set up and srtp key exchange, srtp isnt as secure as it can be.

For (3) and (4) extension is wrong terminology. Asterisk extensions are only associated with the outgoing side and they refer to the dialplan numbers not the sip.conf ones (which really ought to be different).

Asterisk is a back to back user agent, so it is usual for the source and destination devices not even to be the same technology, e.g. one may be SIP and the other an analogue line.

The dial & notation is implemented by the Asterisk core, which doesn’t know about encryption.

I don’t know if native bridging is upported for SRTP, but if it is, you would lose that optimisation if you had a mix.

SRTP can’t negotiate a truly secure datastream between endpoints, only ZRTP can. SRTP streams would be transmitted from the phone, to Asterisk, decrypted, passed through the channel driver stack, reencrypted if the second leg supports encryption, and sent back out.

So, technically, the line is only secure between phone and Asterisk. To answer question #3, you can have a single leg of the call encrypted.

Thanks for the insight!

Now as far a getting it working, the .ca and .pem files all generated no problem and the TLS part seems to be working fine. It is rejecting the phone if TLS is turned off.

Per my previous post, when I set encryption=yes, the phone can’t receive calls. It appears the system is responding to sip.conf correctly. I believe where I am doing wrong is in the dial plan. Any advice on how to properly setup before I do my Dial() would be greatly appreciated.