メニュー

Expand
Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Secure Media

Secure Media uses encryption to ensure that the call media and associated signaling remains private during transmission. Transport Layer Security (TLS) provides encryption for SIP signaling. Secure Real-time Transport Protocol (SRTP) provides encryption for call content/media packets.

SRTP provides a framework for the encryption of RTP & RTCP. RFC 4568, Session Description Protocol (SDP) Security Description (SDES) for Media Streams, defines such a protocol specifically designed to exchange cryptographic material using a newly defined SDP crypto attribute.

Inbound:

You can enable or disable Secure Media in your SIP Domain. It is disabled by default.

You can expect the following:

  • Enabled: TLS must be used to encrypt SIP messages and SRTP must be used for the media packets. Any non-encrypted calls will be rejected.
  • Disabled: RTP must be used for media packets. SIP messages may be sent in the clear or using TLS. Any SRTP encrypted calls will be rejected.
  • SRTP supports the following crypyto suites: AES_CM_128_HMAC_SHA1_80 and AES_CM_128_HMAC_SHA1_32. Both may be included in an order of preference.
  • オプションのマスターキー識別子(MKI)パラメーターはサポートされていません。

Outbound:

Ensure you configure secure=true parameter as part of SIP URI to secure media in SIP outbound calls.

<?xml version="1.0" encoding="UTF-8"?>
<Response>
  <Dial>
    <Sip>sip:jack@example.com;secure=true</Sip>
  </Dial>
</Response>

The default port 5061 will be used for TLS.

  • Only a single crypto suite for SRTP will be included: AES_CM_128_HMAC_SHA1_80
  • オプションのマスターキー識別子(MKI)パラメーターはサポートされていません。

Twilio のルート CA 証明書のインポート

TLS is used to encrypt SIP signaling between SIP endpoints. In order for this to function properly, it is required that certain devices in your network import an SSL certificate. Twilio uses certificates from a CA (Certificate Authority). It is important that you add the following root certificate to your communications infrastructure to establish its authenticity on the network. Download Twilio's CA certificate.

It is important to note that Twilio uses a wildcard certificate which can be used for multiple subdomains of a domain (*.sip.twilio.com). If your network element does not support wild carded certificates please disable certificate validation.

AsteriskにおけるTLS/SRTPサポート

Asteriskには既定で chan_sip ドライバーが含まれており、Twilio上で正常に動作します。 しかし、何らかの理由で PJSIP ドライバーをAsterisk上で使用する場合、以下の点にご注意ください:

Here is a guide to installing a non-bundled version of PJSIP. Change the version to 2.5.5 in the steps.

Asterisk 13.8 cert2 defaults to PJSIP 2.5 which will not work with Twilio for TLS/SRTP purposes. Non-encrypted calls will still work.

Make sure to use the latest PJSIP driver, which at this time is 2.5.5.

You may see following message in your log:

ERROR[10886]: pjproject:0 <?>: tlsc0x7f217c03 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!

This message can be ignored.

Rate this page:

ヘルプが必要ですか?

誰しもが一度は考える「コーディングって難しい」。そんな時は、お問い合わせフォームから質問してください。 または、Stack Overflow でTwilioタグのついた情報から欲しいものを探してみましょう。