Secure Media uses encryption to ensure that the call media and associated signaling remains private during transmission. Transport Layer Security (TLS) provides encryption for SIP signaling. Secure Real-time Transport Protocol (SRTP) provides encryption for call content/media packets.
SRTP provides a framework for the encryption of RTP & RTCP. RFC 4568, Session Description Protocol (SDP) Security Description (SDES) for Media Streams, defines such a protocol specifically designed to exchange cryptographic material using a newly defined SDP crypto attribute.
You can enable or disable Secure Media in your SIP Domain. It is disabled by default.
You can expect the following:
- Enabled: TLS must be used to encrypt SIP messages and SRTP must be used for the media packets. Any non-encrypted calls will be rejected.
- Disabled: RTP must be used for media packets. SIP messages may be sent in the clear or using TLS. Any SRTP encrypted calls will be rejected.
- SRTP supports the following crypyto suites:
AES_CM_128_HMAC_SHA1_32. Both may be included in an order of preference.
Ensure you configure
secure=true parameter as part of SIP URI to secure media in SIP outbound calls.
<?xml version="1.0" encoding="UTF-8"?> <Response> <Dial> <Sip>sip:email@example.com;secure=true</Sip> </Dial> </Response>
The default port 5061 will be used for TLS.
- Only a single crypto suite for SRTP will be included:
TLS is used to encrypt SIP signaling between SIP endpoints. In order for this to function properly, devices in your network that communicate directly with Twilio must be configured to trust Twilio's TLS/SSL Certificate. Twilio uses certificates issued by a CA (Certificate Authority). You may need to add additional root certificates to your communications infrastructure to establish the authenticity of Twilio's certificate on the network. Download Twilio's bundle of trusted CA certificates.
It is important to note that Twilio uses a wildcard certificate which can be used for multiple subdomains of a domain (
sip.twilio.com). If your network element does not support wild carded certificates please disable certificate validation.
chan_sip ドライバーが含まれており、Twilio上で正常に動作します。 しかし、何らかの理由で
Here is a guide to installing a non-bundled version of PJSIP
. Change the version to 2.5.5 in the steps.
Asterisk 13.8 cert2 defaults to
PJSIP 2.5 which will not work with Twilio for TLS/SRTP purposes. Non-encrypted calls will still work.
Make sure to use the latest
PJSIP driver, which at this time is
You may see following message in your log:
ERROR: pjproject:0 <?>: tlsc0x7f217c03 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
This message can be ignored.