What does the encryption actually do?

Hello!

I am trying to set up encrypted TLS SIP calls which works well. I have however noticed that it is possible to call from a TLS endpoint, with mandatory encryption on, to a endpoint using UDP. Is this supposed to be possible? If so, what is the point of the encryption if it is still possible to call/get called by endpoints that don’t have any encryption?

Asterisk is a back to back user agent. You are calling from a TLS endpoint to Asterisk, and that session has its signalling encrypted. You may also have opted to exchange session keys for media, and be encrypting the media as well. Asterisk then starts a second call, which doesn’t even have to be digital. The encryption for that is quite separate.

Asterisk does not support end to end encryption. As soon as a call enters Asterisk, it is decrypted and clear internally. This means that signaling and media is encrypted between just that endpoint and Asterisk, and means that calls can be done to non-encrypted endpoints or non-SIP things, or voicemail, or conferencing, or anything else.

Hm, okey! What if I used direct_media = yes, would that work around the asterisk or it would still be the same?

And to further improve my knowledge lets say I have two TLS encrypted endpoints calling each other, they both would be encrypted as they enter asterisk but separately and inside asterisk it is decrypted ?

Direct media is not supported on encrypted calls. And correct, inside of Asterisk it is decrypted.

Signalling must be decrypted on a SIP hop by SIP hop basis. That is fundamental; you cannot route SIP without seeing the clear text signalling.

It would be possible, in theory, to pass SRTP though a PABX that was dedicated to SIP (Asterisk is multi-technology), but that wouldn’t help, as the session keys are carried in the signalling, so would be available to all the intermediaries.

I don’t believe Asterisk supports ZRTP and, whilst I believe it does the key exchange in the media stream, I don’t know whether or not it works over more than a single SIP hop. Again the signalling has to be in the clear at every session level,or higher, relay.

I see, thank you both for your anwsers!