Skip to content

Commit

Permalink
Security config updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@iplahte
iplahte committed Nov 12, 2024
1 parent 110b73b commit 938b38b
Showing 1 changed file with 22 additions and 9 deletions.
31 changes: 22 additions & 9 deletions sipXwiki/security.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,38 @@
Security
===================

sipXcom supports both secure signaling (TLS) and encrypted media (SRTP) for both trunks and extensions.
sipXcom supports a secure web interface, secure trunking and secure extensions via standard HTTPS, TLS, and SRTP protocols.

Certificates
----------------------

SSL certificates for sipXcom are configured under Settings - Security - Certificates.

Here you can enable a Let's Encrypt service that automatically generates and installs a valid SSL web certificate. Let's Encrypt certificates are authorized by the Internet Security Research Group (ISRG Root X1).
You may also import your own web certificates.

sipXcom also supports both secure signaling (TLS) and encrypted media (SRTP) for both trunks and extensions.
If you want to use SRTP for encrypted media, you must ensure all endpoints connected to sipXcom support SRTP, or calls may fail to connect.

.. note::
* The Let's Encrypt web certificate is reused in the sipXcom built in SBC used for SIP trunking.
* SIP extensions use automatically generated and auto-provisioned self-signed SSL certs.

If you want to use SRTP for encrypted media, you must ensure ALL endpoints connected to sipXcom support SRTP, or calls may fail to connect.

Secure Trunking
----------------------

sipXcom supports secure trunking in its internal SBC on port 5081.
sipXcom supports secure trunking for its built in SBC on port 5081.

These are the sipXcom config changes required to enable secure trunking for both signaling (TLS) and media (SRTP):

- Under Gateway configuration, select TLS as transport protocol and connect to the ITSP using a security enabled port such as 5061.

- The remote ITSP should connect to port 5081 on sipXcom.
- The remote ITSP should be configured to connect secure trunks to port 5081 on sipXcom.

- Under System - Services - Media Services - Server check Secure RTP if you want to encrypt media with SRTP.
- Under System - Services - Media Services - Server check Secure RTP if you want to encrypt all media with SRTP.

.. note::
* The Letsencrypt Web SSL security certs under Security settings are automatically reused for the internal SBC.
* The sipXcom SBC supports SDES type SRTP media negotiations, not DTLS as is common with WebRTC.

To test you have a valid public SSL cert on your SBC port 5081, run the following command:
Expand All @@ -41,11 +54,11 @@ Extensions may also connect securely to sipXcom's SIP proxy on port 5061 (defaul
- E.g. for Polycoms, under Security, select both Enable SRTP and Require SRTP

.. note::
* Unlike secure trunking, extensions use self-signed SSL certs as configured under SIP certs under Security settings.
* This means SIP extensions must have SSL cert validity checks disabled.
* Since SIP extension certificates are self generated, IP phones using TLS must have SSL cert validity checks disabled.

To check port 5061 is enabled to receive TLS connections, you may run the following command:
* .. code-block:: bash

.. code-block:: bash
openssl s_client -connect <sipXcom IP or domain>:5081

0 comments on commit 938b38b

Please sign in to comment.