TLS for VoIP (sip protocol)

[Gaai]

Encrypting voip data makes sense in almost any practical context right? Looking through the protocol code and libraries I see TLS and SSL certificates mentioned here and there. It seems TLS is supported for the sip protocol. But I am not sure how to set it up. Would be great if you could offer some documentation on how to get it working with the project examples for sip and rtc.

So far I've found that there are multiple certificate settings in sdconfig. By default the ESP-TLS section (there are more) looks like this:

#
# ESP-TLS
#
CONFIG_ESP_TLS_USING_MBEDTLS=y
# CONFIG_ESP_TLS_USE_SECURE_ELEMENT is not set
# CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS is not set
# CONFIG_ESP_TLS_SERVER is not set
# CONFIG_ESP_TLS_PSK_VERIFICATION is not set
CONFIG_ESP_TLS_INSECURE=y
CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY=y
# end of ESP-TLS

So I'd need to change these in order to use tls.

Then there is the esp_rtc_config_t struct in sip_service.c. This looks like this by default (I've added the missing parameters commented out):

esp_rtc_config_t sip_service_config = {
    .ctx = av_stream,                           /*!< (pointer) RTC session user context */
    .local_addr = ip4addr_ntoa(&ip),            /*!< (pointer) Local address */
    .uri = uri,                                 /*!< (pointer) "Transport://user:pass@server:port/path" */
    .acodec_type = RTC_ACODEC_G711A,            /*!< Audio codec type */
    //.vcodec_info,                             /*!< (pointer) Video codec info */
    .data_cb = &data_cb,                        /*!< (pointer) RTC data callback */
    .event_handler = _esp_sip_event_handler,    /*!< RTC session event handler */
    //.use_public_addr = ,                      /*!< Use the public IP address returned by the server (RFC3581) */
    //.send_options = ,                         /*!< Use 'OPTIONS' messages replace keep-alive to server for keep NAT hole opened */
    //.keepalive = ,                            /*!< Send keep-alive or 'OPTIONS' messages interval in seconds (defaults is 30s) */
    //.cert_pem = ,                             /*!< (pointer) SSL server certification, PEM format as string, if the client requires to verify server */
    //.client_cert_pem = ,                      /*!< (pointer) SSL client certification, PEM format as string, if the server requires to verify client */
    //.client_key_pem = ,                       /*!< (pointer) SSL client key, PEM format as string, if the server requires to verify client */
    //.crt_bundle_attach = ,                    /*!< (pointer) Function pointer to esp_crt_bundle_attach. Enables the use of certification bundle for server verification, must be enabled in menuconfig */
};

So now I need to config those parameters and populate them with correct keys and certficate data somehow. But how to do this in a safe way? The use of the certification bundle seems enabled in menuconfig by default already.

Lastly I would need to edit the uri to use tls instead of udp I guess? Some documentation on this all would be very helpful.

[Gaai]

I've found this and updated my question above with the additional info I've found here: https://github.com/espressif/esp-adf/issues/943#issue-1549905944

[ahhfzhang]

Hi @Gaai

1. About tls config, you can refer to IDF http client example to configure it. ref : https://github.com/espressif/esp-idf/blob/master/examples/protocols/esp_http_client/main/esp_http_client_example.c

2. Tls uri base on this .

Best Regards.

[Gaai]

Will check it out soon as I get back. Thanks!

[jason-mao]

This topic has become inactive so I'm going to close the issue. Please reopen this if you have any questions or need any further assistance.