TLS on a SIP Trunk

Discussion in '3CX Phone System - General' started by dig1234, Dec 8, 2015.

Thread Status:
Not open for further replies.
  1. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    Does 3cx support TLS for SIP Trunks?
    I have SRTP and SIP-TLS working internally on my phones. I can't find the option to enable TLS for the VOIP provider. (they have it enabled on their end).I only have a checkbox for SRTP but that's a smokescreen if the SIP is sent in the clear since the keys are contained in the SDP.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    We do not have this..
    Very few providers are having this feature.. because the threat is in the lan.. no one is going to be sitting beyond your border firewall stealing your traffic - remember this is between your ISP and your VoIP Provider in its datacenter.. This is not in production use..
    Would you tell me the provider name?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    I disagree. This is a very important protection for businesses in healthcare or banking and for anyone concerned about voice privacy. Passive sniffing on any of the internet routers between the 3cx and the trunk provider is a real concern nowadays.
    Two providers which I am aware of that support this here in the US are siptrunk.com and sip.us

    Not to get too philosophical, but according to your reasoning that it's "between you and your ISP", there is no need for HTTPS websites or encrypted vpn.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    Absolutely there is the need yes... But to be frank with all due respect, we are talking about real time traffic here.. not a static webpage...
    Look around you - i am not seeing Voip providers shouting about this..
    Lets try and get these guys supported and we will see... how do other pbx's work with these? Do you know?Can you ask them?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. dig1234

    Joined:
    Jun 1, 2015
    Messages:
    75
    Likes Received:
    0
    -I know this is supported on certain other platforms. One that stands out is SONUS which many voip providers use for their SBC.

    -Doesn't seem like it should be a big deal to implement considering you already support TLS from handset to the server. (which I have working on a Yealink phone). It basically just requires 3cx server opening a secure socket to the trunk server instead of a plaintext one. It does not require any certificate generation on 3cx side that is all handled on Voip provider's end. In fact as they are signed by a publicly trusted CA there wouldn't even need to be a CA cert imported to 3cx.

    -siptrunk.com is officially supported by 3CX. sip.us is compatible but not officially supported to my knowledge.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. kentsipus

    Joined:
    Dec 9, 2015
    Messages:
    1
    Likes Received:
    0
    3CX,

    This is definitely a feature we would be interested in and would be willing to work with you on. As noted by your customer, there are certain industries where the privacy of the media stream is important. By ensuring that the data is encrypted from the 3CX server to our gateway, it would mitigate the possibility of an attacker listening to the stream via a device in the datacenter on either end, and also would render attacking the PBX directly a moot point.

    I would have you think from an attacker's perspective. I spot a high profile target talking on a cell phone (using the 3CX app) on a public network. My sniffing indicates that the stream is encrypted and so I cannot harvest the data I need on that network. However, I can see the server he is connecting to. I now have my next attack vector (the IP address of the server he's connected to). I will begin to attack that server. Given enough time and the typical lax security of a private network, combined with the juiciness of my target, I may find a way into your server. With SIPS and RTSP to the provider, however, my attack just became that much more complicated. I now have to crack the provider's network, sift through all of their calls to find the traffic I am looking for, and then harvest the data I need (and this assumes that the traffic there is unencrypted). The attack becomes increasingly more complicated, and the return on investment diminishes which is exactly what your customer is after.
     
  7. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,097
    Likes Received:
    142
    Agreed - Lets work and see what we can do.. do not get me wrong - we wanted to do this... But we looked around and honestly very very few companies offered this..
    We will take this offline..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. postmaster

    Joined:
    Jan 4, 2017
    Messages:
    1
    Likes Received:
    0
    Lifecell & Turkcell supports only TLS for SIP...

    What can I do?
     
  9. rvjr

    Joined:
    Feb 27, 2017
    Messages:
    1
    Likes Received:
    1
    Hello everybody

    is this still true in 2017? I really can't believe 3CX is not able to use TLS to the SIP trunk. Almost any provider supports it, and yes, everybody should care that their data is encrypted also beyond your own router!

    Can anybody confirm this striking lack of encryption in 3CX? When is this going to be fixed?

    Best regards
    Rainer
     
    shenwei likes this.
  10. 910855

    Joined:
    Feb 28, 2017
    Messages:
    1
    Likes Received:
    0
    Мы так же используем lifecell.
    Пока отказались от приобретения.
     
  11. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    448
    Likes Received:
    20
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. LiscardGP

    Joined:
    Sep 29, 2011
    Messages:
    54
    Likes Received:
    0
    Hmmm. Perhaps if security is important you could use a PSTN Gateway. Or route confidential calls via that route and other calls via SIP trunks.

    Just a suggestion. I suspect a secure SIP trunk, which is definitely a good idea, would probably cost more anyway. But what happens to security after the call leaves the VOIP provider? Security is only as good as the weakest link.

    We have a Patton ISDN BRI gateway as an alternative route in the event the SIP trunks fail for some reason. It has performed very well and it also improves system resilience which is another important issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.