Securing Calls with TLS and SRTP

Endpoints can connect to FreePBX with encrypted connections. This requires configuration on both the FreePBX server and endpoint. These instructions assume that the server already has a valid certificate. If not, set up the server with a LetsEncrypt cert in Admin > Certificate Management.

Server Configuration

  • Go to Settings > Asterisk SIP Settings.

  • Click on the SIP Settings [chan_pjsip] tab.

    1. In the Misc PJSip Settings section, set Show Advanced Settings to Yes. Click Submit and Apply if the following sections do not show.

    2. In the TLS/SSL/SRTP Settings section, select the appropriate certificate in the Certificate Manager dropdown menu. Select tlsv1_2 as the SSL Method. Set Verify Client to No and Verify Server to Yes.

    3. In the Transports section, set tls - 0.0.0.0 - All to Yes.

    4. In the 0.0.0.0 (tls) section, verify that the Port to Listen On is set to 5061.

  • Click on the General SIP Settings tab.

    1. In the Security Settings section, set both Allow Anonymous Inbound SIP Calls and Allow SIP Guests to No.

    2. Set the Default TLS Port Assignment to PJSIP. If the PJSIP option is greyed out, try restarting Asterisk to ensure that the TLS settings from the previous section are loaded.

  • Restart asterisk:

    1. Log into the server CLI

    2. Run fwconsole stop to stop asterisk

    3. Run fwconsole start to start asterisk

  • Modify each extension that requires TLS support. Click on the Advanced tab when editing an extension.

    1. Set Transport to Auto or 0.0.0.0-tls.

    2. Set Media Encryption to SRTP via in-SDP (recommended).

    3. Set Allow Non-Encrypted Media (Opportunisitic SRTP) to No.

    4. Set Direct Media to No.

    5. Verify that DTLS is disabled.

Client Configuration

  • Set up the account with the usual SIP settings, but include these specific settings:

    1. Set SIP Transport to TLS.

    2. Set Local SIP Port to 5061.

    3. In Account > Advanced, set SRTP Mode or Media Encryption to SRTP Enabled and Required.

  • For Yealink T46S phones, copy the file certificate.pem from /etc/asterisk/keys/integration and install it:

    1. Go to Security > Server Certificates.

      • In the Module dropdown list, select SIP, then choose Custom1 Certificates in the Device Certificates dropdown box.

      • In the Import Server Certificates section, change Import to to Custom1. Then browse for the certificate.pem file and upload it. Finally, click Confirm.

    2. Go to Security > Trusted Certificates.

      • In the Module dropdown list, select SIP, then change Only Accept Trusted Certificates to Disabled.