Closed eric-brechemier closed 2 years ago
Twilio does appear to support call encryption now, under the sip domain settings you can enable "Secure Media", and enable "SRTP" and "Mandatory Encryption" under linphone's "Calls abd Chat" settings.
@AmIJesse Thank you for the heads-up. I'll try it out.
Secure Media
Secure Media uses encryption to ensure that the call media and associated signaling remains private during transmission. Transport Layer Security (TLS) provides encryption for SIP signaling. Secure Real-time Transport Protocol (SRTP) provides encryption for call content/media packets.
SRTP provides a framework for the encryption of RTP & RTCP. RFC 4568, Session Description Protocol (SDP) Security Description (SDES) for Media Streams, defines such a protocol specifically designed to exchange cryptographic material using a newly defined SDP crypto attribute.
Inbound:
You can enable or disable Secure Media in your SIP Domain. It is disabled by default.
You can expect the following:
- Enabled: TLS must be used to encrypt SIP messages and SRTP must be used for the media packets. Any non-encrypted calls will be rejected.
- Disabled: RTP must be used for media packets. SIP messages may be sent in the clear or using TLS. Any SRTP encrypted calls will be rejected.
info
- *SRTP supports the following crypyto suites:
AES_CM_128_HMAC_SHA1_80
andAES_CM_128_HMAC_SHA1_32
. Both may be included in an order of preference.**- *The optional master key identifier (MKI) parameter is not supported**
Outbound:
Ensure you configure
secure=true
parameter as part of SIP URI to secure media in SIP outbound calls.<?xml version="1.0" encoding="UTF-8"?> <Response> <Dial> <Sip>sip:jack@example.com;secure=true</Sip> </Dial> </Response>
The default port 5061 will be used for TLS.
info
- Only a single crypto suite for SRTP will be included:
AES_CM_128_HMAC_SHA1_80
- The optional master key identifier (MKI) parameter is not supported
Importing Twilio's Root CA Certificate
TLS is used to encrypt SIP signaling between SIP endpoints. In order for this to function properly, it is required that certain devices in your network import an SSL certificate. Twilio uses certificates from a CA (Certificate Authority). It is important that you add the following root certificate to your communications infrastructure to establish its authenticity on the network. Download Twilio's CA certificate.
It is important to note that Twilio uses a wildcard certificate which can be used for multiple subdomains of a domain (
*.sip.twilio.com
). If your network element does not support wild carded certificates please disable certificate validation. (...) — https://www.twilio.com/docs/voice/api/secure-media
Also:
Transport
Set a parameter on your SIP URI to specify what transport protocol you want to use. Currently, this is limited to
UDP
,TCP
andTLS
. By default, Twilio sends yourSIP INVITE
overUDP
. Change this by using the transport parameter:<?xml version="1.0" encoding="UTF-8"?>
sip:jack@example.com;transport=tcp Alternatively, you may customize it to use TLS for SIP signaling. When using TLS, the default port will be 5061 however, a different one may be specified.
<?xml version="1.0" encoding="UTF-8"?>
sip:jack@example.com;transport=tls
I have updated the corresponding section of the step by step setup:
(…)
I have also added instructions to configure call encryption in Linphone. The option to send SIP registration over TLS was already selected.
(…)
Open Linphone > Preferences > Calls and Chat.
Under Calls, click the button. I also chose to make encryption mandatory, just to make sure.
Note: Twilio will neither accept unencrypted calls on a domain where encryption has been enabled, nor encrypted calls on a domain where it has not been enabled. Once encryption has been enabled for a SIP domain, you have to use it, otherwise all your calls will get rejected.
With these two changes, SIP registrations and calls are now expected to be encrypted.
Linphone shows outgoing calls as encrypted with SRTP:
As noted by user _Eduardosquidwardo on Reddit, the Encryption is mandatory option must not be selected at this point.
Otherwise, incoming calls are rejected by Linphone, which answers:
SIP/2.0 488 Not acceptable here
after the SDP offer/answer process fails:
Doing SDP offer/answer process of type incoming
Declining mline 0, no corresponding stream in local capabilities description.
While when Encryption is mandatory is disabled, the SDP offer/answer process succeeds with:
Doing SDP offer/answer process of type incoming
Found matching configurations: local configuration index 0 remote offered configuration index 0
Linphone shows that incoming calls are not encrypted:
I have disabled Encryption is mandatory option for now, until I find how to encrypt incoming calls as well.
(…)
If you choose to make encryption mandatory, incoming calls will get rejected unless they are encrypted as well. This option must not be checked at this point.
This is the behavior described in the Secure Media documentation.
The Secure Media option of SIP domains applies to inbound calls only. When enabled, SRTP encryption must be used by the Linphone client, or calls will get rejected.
For outbound calls, an extra parameter must be included in the <Sip>
URL of the <Dial>
verb in TwiML:
Ensure you configure
secure=true
parameter as part of SIP URI to secure media in SIP outbound calls.<?xml version="1.0" encoding="UTF-8"?> <Response> <Dial> <Sip>sip:jack@example.com;secure=true</Sip> </Dial> </Response>
After this change in the TwiML Bin Receiving Calls from Regular Phones to SIP, incoming calls are now encrypted with SRTP as well:
It becomes possible to make encryption mandatory, and incoming calls are no longer rejected, since they are encrypted:
Two parameters must be set in the SIP URL:
transport=tls
to encrypt the SIP INVITE,secure=true
to encrypt the incoming SIP call.Including both parameters in the URL leads the call to fail, when Linphone requires encryption, in the same as when no call encryption was applied:
2022-02-19 19:58:44:083 [linphone/liblinphone] MESSAGE Doing SDP offer/answer process of type incoming
2022-02-19 19:58:44:083 [linphone/liblinphone] MESSAGE Declining mline 0, no corresponding stream in local capabilities description.
and disabling this requirement, the incoming call is no longer encrypted.
It thus appears that usage of secure=true
, described in the Secure Media documentation, is superseding the more limited transport=tls
parameter described in the documentation of the TwiML <Sip>
noun.
I'll use secure=true
alone from this point.
Calls are now encrypted.
I combined SIP parameters with &
instead of ;
. Let's try again.
The format of SIP URLs is described in RFC 2543:
SIP-URL = "sip:" [ userinfo "@" ] hostport
url-parameters [ headers ]
userinfo = user [ ":" password ]
user = *( unreserved | escaped
| "&" | "=" | "+" | "$" | "," )
password = *( unreserved | escaped
| "&" | "=" | "+" | "$" | "," )
hostport = host [ ":" port ]
host = hostname | IPv4address
hostname = *( domainlabel "." ) toplabel [ "." ]
domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
toplabel = alpha | alpha *( alphanum | "-" ) alphanum
IPv4address = 1*digit "." 1*digit "." 1*digit "." 1*digit
port = *digit
url-parameters = *( ";" url-parameter )
url-parameter = transport-param | user-param | method-param
| ttl-param | maddr-param | other-param
transport-param = "transport=" ( "udp" | "tcp" )
ttl-param = "ttl=" ttl
ttl = 1*3DIGIT ; 0 to 255
maddr-param = "maddr=" host
user-param = "user=" ( "phone" | "ip" )
method-param = "method=" Method
tag-param = "tag=" UUID
UUID = 1*( hex | "-" )
other-param = ( token | ( token "=" ( token | quoted-string )))
headers = "?" header *( "&" header )
header = hname "=" hvalue
hname = 1*uric
hvalue = *uric
uric = reserved | unreserved | escaped
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
"$" | ","
digits = 1*DIGIT
Figure 3: SIP URL syntax
Both parameters can be included in this way:
<Sip>sip:jack@example.com;transport=tls;secure=true</Sip>
The previous form resulted in invalid parameter values:
transport: tls&secure=true
or
secure: true&transport=tls
I updated the description of Linphone client setup, adding the possibility to make encryption of inbound calls required.
(…)
I also updated the description of the steps to configure the TwiML Bin script Receiving Phone Calls from Regular Phones to SIP:
(…)
<?xml version="1.0" encoding="UTF-8"?>
<Response>
<Dial>
<Sip>sip:me@1-202-555-0162.sip.us1.twilio.com;transport=tls;secure=true</Sip>
</Dial>
</Response>
(…)
@AmIJesse Thanks! Starting from your input, I have finally made the changes to successfully encrypt phone calls.
Twilio does not currently support encryption of calls registered with Twilio's endpoint. Encrypted transport is only supported with SIP trunking: