TLS on a SIP Trunk

dig1234 · Dec 8, 2015

Does 3cx support TLS for SIP Trunks?
I have SRTP and SIP-TLS working internally on my phones. I can't find the option to enable TLS for the VOIP provider. (they have it enabled on their end).I only have a checkbox for SRTP but that's a smokescreen if the SIP is sent in the clear since the keys are contained in the SDP.

nb · Dec 9, 2015

We do not have this..
Very few providers are having this feature.. because the threat is in the lan.. no one is going to be sitting beyond your border firewall stealing your traffic - remember this is between your ISP and your VoIP Provider in its datacenter.. This is not in production use..
Would you tell me the provider name?

dig1234 · Dec 9, 2015

I disagree. This is a very important protection for businesses in healthcare or banking and for anyone concerned about voice privacy. Passive sniffing on any of the internet routers between the 3cx and the trunk provider is a real concern nowadays.
Two providers which I am aware of that support this here in the US are siptrunk.com and sip.us

Not to get too philosophical, but according to your reasoning that it's "between you and your ISP", there is no need for HTTPS websites or encrypted vpn.

nb · Dec 9, 2015

Absolutely there is the need yes... But to be frank with all due respect, we are talking about real time traffic here.. not a static webpage...
Look around you - i am not seeing Voip providers shouting about this..
Lets try and get these guys supported and we will see... how do other pbx's work with these? Do you know?Can you ask them?

dig1234 · Dec 9, 2015

-I know this is supported on certain other platforms. One that stands out is SONUS which many voip providers use for their SBC.

-Doesn't seem like it should be a big deal to implement considering you already support TLS from handset to the server. (which I have working on a Yealink phone). It basically just requires 3cx server opening a secure socket to the trunk server instead of a plaintext one. It does not require any certificate generation on 3cx side that is all handled on Voip provider's end. In fact as they are signed by a publicly trusted CA there wouldn't even need to be a CA cert imported to 3cx.

-siptrunk.com is officially supported by 3CX. sip.us is compatible but not officially supported to my knowledge.

kentsipus · Dec 9, 2015

3CX,

This is definitely a feature we would be interested in and would be willing to work with you on. As noted by your customer, there are certain industries where the privacy of the media stream is important. By ensuring that the data is encrypted from the 3CX server to our gateway, it would mitigate the possibility of an attacker listening to the stream via a device in the datacenter on either end, and also would render attacking the PBX directly a moot point.

I would have you think from an attacker's perspective. I spot a high profile target talking on a cell phone (using the 3CX app) on a public network. My sniffing indicates that the stream is encrypted and so I cannot harvest the data I need on that network. However, I can see the server he is connecting to. I now have my next attack vector (the IP address of the server he's connected to). I will begin to attack that server. Given enough time and the typical lax security of a private network, combined with the juiciness of my target, I may find a way into your server. With SIPS and RTSP to the provider, however, my attack just became that much more complicated. I now have to crack the provider's network, sift through all of their calls to find the traffic I am looking for, and then harvest the data I need (and this assumes that the traffic there is unencrypted). The attack becomes increasingly more complicated, and the return on investment diminishes which is exactly what your customer is after.

nb · Dec 10, 2015

Agreed - Lets work and see what we can do.. do not get me wrong - we wanted to do this... But we looked around and honestly very very few companies offered this..
We will take this offline..

postmaster · Jan 4, 2017

Lifecell & Turkcell supports only TLS for SIP...

What can I do?

rvjr · Feb 27, 2017

Hello everybody

is this still true in 2017? I really can't believe 3CX is not able to use TLS to the SIP trunk. Almost any provider supports it, and yes, everybody should care that their data is encrypted also beyond your own router!

Can anybody confirm this striking lack of encryption in 3CX? When is this going to be fixed?

Best regards
Rainer

910855 · Feb 28, 2017

postmaster said:
Lifecell & Turkcell supports only TLS for SIP...

What can I do?

Мы так же используем lifecell.
Пока отказались от приобретения.

Sopock · Mar 1, 2017

We can see there are many not qualified?
https://www.twilio.com/docs/api/sip-trunking/sample-configuration

LiscardGP · Mar 5, 2017

Hmmm. Perhaps if security is important you could use a PSTN Gateway. Or route confidential calls via that route and other calls via SIP trunks.

Just a suggestion. I suspect a secure SIP trunk, which is definitely a good idea, would probably cost more anyway. But what happens to security after the call leaves the VOIP provider? Security is only as good as the weakest link.

We have a Patton ISDN BRI gateway as an alternative route in the event the SIP trunks fail for some reason. It has performed very well and it also improves system resilience which is another important issue.

Search

TLS on a SIP Trunk

dig1234

nb

Support Team

dig1234

nb

Support Team

dig1234

kentsipus

nb

Support Team

postmaster

rvjr

910855

Sopock

LiscardGP

Getting Started - Admin

Latest Posts

Members Online Now

Forum statistics