Browsed by
Tag: sip

Secure enterprise SIP communication

Secure enterprise SIP communication

Enterprise communication systems are typically deployed within private networks, with Session Border Controllers (SBCs) or voice gateways installed at the network edge to facilitate external communication. Therefore, in most scenarios, enterprise communications remain highly secure. However, a growing number of businesses are now deploying SIP servers in the cloud, while an increasing volume of SIP terminals within enterprises are accessing these corporate SIP servers from external networks. This shift has exposed part (or all) of enterprise communication systems to public networks, making security concerns increasingly severe.

The security of enterprise SIP communication involves many aspects of the network system, such as firewalls. Focusing solely on the SIP communication itself, it must be encrypted to prevent the exposure of communication information to other network users. Encrypted SIP communication consists of two parts: (1) SIP message (signaling) encryption, and (2) voice stream (RTP) encryption, as illustrated in the figure below:

Secure enterprise SIP communication network topology

Certainly, enterprises can deploy VPNs to encrypt the entire network system — not just communication systems but also office systems and more. Encrypted SIP communication can also be established over a VPN. However, setting up an enterprise VPN involves relatively high costs and complex systems. This article focuses solely on encrypted SIP communication and does not cover other network security technologies such as VPNs.

SIP message encryption is achieved through “SIP over TLS.” Both cloud-based miniSIPServer, on-premises miniSIPServer, and miniSIPPhone support SIP over TLSv1.2 / TLSv1.3. Please refer to the online documentation for details, as this article will not elaborate further on this topic.

Voice streams are encrypted through SRTP transmission. The master key and master salt for SRTP are transmitted and negotiated via the SDP (RFC4568) in SIP messages. Therefore, only when SIP messages are encrypted can the critical information of SRTP be ensured not to be leaked. Simply encrypting voice streams with SRTP while transmitting SIP messages in plaintext cannot guarantee the overall security of SIP communication.

RFC4568 defines several cryptographic suites. Currently, we have chosen to support the default AES_CM_128_HMAC_SHA1_80 and do not yet support other encryption suites.

The SRTP protocol family includes numerous extensions. Currently, miniSIPServer and miniSIPPhone support the most fundamental RFC3711 protocol, which is also the basic SRTP protocol supported by the vast majority of SIP devices (including servers, PBXs, SBCs, and endpoints). DTLS-SRTP is not currently supported, primarily due to the following considerations: (1) SIP over TLS already ensures the security of the master key & salt, achieving an effect equivalent to that of DTLS; (2) although internet technologies like WebRTC widely adopt DTLS-SRTP, most SIP devices do not support it, which would lead to interoperability issues in the realm of enterprise SIP communication.

miniSIPServer and miniSIPPhone can enable SRTP by default without requiring additional configuration. Some SIP devices need explicit configuration to select SRTP. For example, when configuring an account in MicroSIP, the “Media Encryption” setting must be configured as follows:

MicroSIP SRTP configuration
Welcome! Debian 13 (Trixie)!

Welcome! Debian 13 (Trixie)!

Debian 13 (Trixie) was released yesterday. It is the latest stable version and quite suitable for business deployments. We are big fans of Debian, so we immediately run and test miniSIPServer on this system. All test cases are passed. Perfect!

Run miniSIPServer on Debian 13.

You can deploy enterprise VoIP network with Trixie, it is an exciting choice.

miniSIPPhone supports SIP over TCP/TLS

miniSIPPhone supports SIP over TCP/TLS

Yes, we upgrade miniSIPPhone. Again!

miniSIPPhone V10.10 can support SIP over TCP and TLS now. In the account configuration, there is a new item ‘Transport’ to indicate which transport should be used to connect to SIP server.

miniSIPPhone account configuration, including transport configuration.

If SIP is over TLS, the messages are encrypted. It is quite necessary for enterprise communication if the servers or clients are deployed in public networks. As we know cloud miniSIPServer can support SIP over TLS and all virtual servers are deployed in the public network, so if you deploy miniSIPPhone at the same time, it could be safer for the whole VoIP network.

Of course, miniSIPPhone can work with other SIP servers who can support SIP over TCP/TLS to build a complete and safe enterprise VoIP system.

Send or receive instant messages

Send or receive instant messages

The latest version of miniSIPPhone is released today to support two key features: (1) Contact, and (2) Instant messages.

It has a new window to create and manage contact list like belowing:

miniSIPServer contact list

In the contact window, you can select the target user and double click it to make a call out, or you can press ‘C’ key or click ‘Call’ button to do that.

If you want to send instant messages, you can select the target user and press ‘M’ key or click the ‘Message’ button, then you will get instant messages’ windows:

Instant message window on Windows system
Instant message window on Linux system

One instant message window is used for one user. Each window has three areas: (1) Display area. It displays both incoming messages and outgoing messages. (2) Input area. You can input the instant message content here, and press ‘Ctrl+Enter’ keys to send the message out. (3) ‘Send’ button. Click it to send the message out.

At this time, miniSIPPhone uses SIP-MESSAGE to send and receive instant messages, and can only support plain text messages, so you cannot insert images, files, audios and videos into the messages.

Of course, miniSIPPhone can run on Windows system and Linux system (including AMD64 and ARM64). In fact, the users in above figure run miniSIPPhone on different systems.

Hope you can enjoy it. 🙂

miniSIPPhone for Linux (Debian/Ubuntu)

miniSIPPhone for Linux (Debian/Ubuntu)

Finally, miniSIPPhone is upgraded to V10. The most important thing is that it can support Linux system now. Of course, the distro must be Debian or Ubuntu. As same as miniSIPServer, Debian must be V10 (Buster) or higher versions, and Ubuntu must be V18.04 (Bionic Beaver) or higher versions.

Both X86_64 (amd64) and ARM64 (AArch64) are supported.

It is quite easy to run SIP phone on Linux system now. Please visit our website to download the latest version:

For example, you download “msp_v10_amd64.deb” and install it with following command:

sudo dpkg --install msp_v10_amd64.deb

Then you can click the linker to run miniSIPPhone:

If you want to uninstall miniSIPPhone, you can run following command directly to remove it:

sudo apt remove minisipphone
Conference room and others

Conference room and others

miniSIPServer is upgraded to V60 which is the latest stable version for business development. The first big thing is “conference room” feature which provides conference calls for local users. At most 5 clients can join the same conference call. Please refer to the service document for more details. Cloud miniSIPServer is also upgraded to support this feature.

In another way, as we have posted in previous blog, several services are finally removed from local miniSIPServer, such as calling-card and call-shop. These features were important for some of our customers, but it is time to say good-bye now.

Refine miniSIPServer

Refine miniSIPServer

As we know, miniSIPServer was developed about 20 years ago. Lots of services and features are added into miniSIPServer to support more and more customers.

Recently we have reviewed all these services. Some services have so long history that we have to think whether they are suitable for current environments, for example call-shop, calling card, and so on.

Next version will focus on refining or clearing some services. miniSIPServer will step into next stage and be more faster, more stabler.

Run miniSIPServer on Ubuntu 24.04 LTS (Noble Numbat)

Run miniSIPServer on Ubuntu 24.04 LTS (Noble Numbat)

Ubuntu 24.04 is the latest LTS (long-term support) version, so it will be deployed widely in business environment. We install miniSIPServer on this important version and make some tests. The result is perfect! Please refer to the figure below.

Run miniSIPServer on Ubuntu 24.04

If you want to deploy a new VoIP network on Linux system, Ubuntu 24.04 could be a good choice.

Please refer to online document for more details about how to run miniSIPServer on Linux system.

Support TLSv1.3

Support TLSv1.3

miniSIPServer recently is upgraded to support TLSv1.3. This modification doesn’t affect configuration, so you need to do nothing if you upgrade your miniSIPServer to the latest versions.

Two modules could use TLS transport: (1) SIP server, and (2) Embeded HTTP server. If your SIP phones can support TLSv1.3, it is better to use TLSv1.3 to protect communication. Please refer to “SIP over TLS” document for more details. Both local miniSIPServer and cloud miniSIPServer can support SIP over TLSv1.3 now.

By default, miniSIPServer starts an embeded HTTP server for web management. If you want to manage it through the pubilc network, you have to enable TLS transport to protect HTTP information. In another way, most navigators, such as Chrome, Edge, Firefox and so on, can support TLSv1.3 now. Please refer to “web management” document to enable encrypted HTTP.

ARM64 and some modification

ARM64 and some modification

As we know, miniSIPServer has some versions for Raspberry Pi and they are all for armhf architecture. Recently, more and more customers ask us for miniSIPServer versions for ARM systems. Most are arm64 architecture, and the customers want to run miniSIPServer on ARM servers or cards.

So we change the specific miniSIPServer version for Pi to the common miniSIPServer version for ARM64. Of course, raspberry pi can support arm64 architecture too, so this modification can cover most ARM scenarios and devices, including Pi.

In another way, most customers want to run miniSIPServer command line version on their ARM servers or systems. That means it is unnecessary for them to have a GUI interface, and they only need ‘minisipserver-cli’. By default, miniSIPServer requires ‘qtbase5-dev’ package to provide GUI. In this scenario, the ‘qtbase5-dev’ package will not be necessary, so we move this package from ‘Depends’ section to ‘Suggests’ section of miniSIPServer’s deb-control.

If you want to run miniSIPServer with GUI, you can still install the libraries with the following command:

sudo apt install gcc g++ qtbase5-dev

If you only need a command line version, you can install the libraries without qtbase5-dev, like following:

sudo apt install gcc g++