Browsed by
Tag: tls

Secure enterprise SIP communication

Secure enterprise SIP communication

Enterprise communication systems are typically deployed within private networks, with Session Border Controllers (SBCs) or voice gateways installed at the network edge to facilitate external communication. Therefore, in most scenarios, enterprise communications remain highly secure. However, a growing number of businesses are now deploying SIP servers in the cloud, while an increasing volume of SIP terminals within enterprises are accessing these corporate SIP servers from external networks. This shift has exposed part (or all) of enterprise communication systems to public networks, making security concerns increasingly severe.

The security of enterprise SIP communication involves many aspects of the network system, such as firewalls. Focusing solely on the SIP communication itself, it must be encrypted to prevent the exposure of communication information to other network users. Encrypted SIP communication consists of two parts: (1) SIP message (signaling) encryption, and (2) voice stream (RTP) encryption, as illustrated in the figure below:

Secure enterprise SIP communication network topology

Certainly, enterprises can deploy VPNs to encrypt the entire network system — not just communication systems but also office systems and more. Encrypted SIP communication can also be established over a VPN. However, setting up an enterprise VPN involves relatively high costs and complex systems. This article focuses solely on encrypted SIP communication and does not cover other network security technologies such as VPNs.

SIP message encryption is achieved through “SIP over TLS.” Both cloud-based miniSIPServer, on-premises miniSIPServer, and miniSIPPhone support SIP over TLSv1.2 / TLSv1.3. Please refer to the online documentation for details, as this article will not elaborate further on this topic.

Voice streams are encrypted through SRTP transmission. The master key and master salt for SRTP are transmitted and negotiated via the SDP (RFC4568) in SIP messages. Therefore, only when SIP messages are encrypted can the critical information of SRTP be ensured not to be leaked. Simply encrypting voice streams with SRTP while transmitting SIP messages in plaintext cannot guarantee the overall security of SIP communication.

RFC4568 defines several cryptographic suites. Currently, we have chosen to support the default AES_CM_128_HMAC_SHA1_80 and do not yet support other encryption suites.

The SRTP protocol family includes numerous extensions. Currently, miniSIPServer and miniSIPPhone support the most fundamental RFC3711 protocol, which is also the basic SRTP protocol supported by the vast majority of SIP devices (including servers, PBXs, SBCs, and endpoints). DTLS-SRTP is not currently supported, primarily due to the following considerations: (1) SIP over TLS already ensures the security of the master key & salt, achieving an effect equivalent to that of DTLS; (2) although internet technologies like WebRTC widely adopt DTLS-SRTP, most SIP devices do not support it, which would lead to interoperability issues in the realm of enterprise SIP communication.

miniSIPServer and miniSIPPhone can enable SRTP by default without requiring additional configuration. Some SIP devices need explicit configuration to select SRTP. For example, when configuring an account in MicroSIP, the “Media Encryption” setting must be configured as follows:

MicroSIP SRTP configuration
miniSIPPhone supports SIP over TCP/TLS

miniSIPPhone supports SIP over TCP/TLS

Yes, we upgrade miniSIPPhone. Again!

miniSIPPhone V10.10 can support SIP over TCP and TLS now. In the account configuration, there is a new item ‘Transport’ to indicate which transport should be used to connect to SIP server.

miniSIPPhone account configuration, including transport configuration.

If SIP is over TLS, the messages are encrypted. It is quite necessary for enterprise communication if the servers or clients are deployed in public networks. As we know cloud miniSIPServer can support SIP over TLS and all virtual servers are deployed in the public network, so if you deploy miniSIPPhone at the same time, it could be safer for the whole VoIP network.

Of course, miniSIPPhone can work with other SIP servers who can support SIP over TCP/TLS to build a complete and safe enterprise VoIP system.

Support TLSv1.3

Support TLSv1.3

miniSIPServer recently is upgraded to support TLSv1.3. This modification doesn’t affect configuration, so you need to do nothing if you upgrade your miniSIPServer to the latest versions.

Two modules could use TLS transport: (1) SIP server, and (2) Embeded HTTP server. If your SIP phones can support TLSv1.3, it is better to use TLSv1.3 to protect communication. Please refer to “SIP over TLS” document for more details. Both local miniSIPServer and cloud miniSIPServer can support SIP over TLSv1.3 now.

By default, miniSIPServer starts an embeded HTTP server for web management. If you want to manage it through the pubilc network, you have to enable TLS transport to protect HTTP information. In another way, most navigators, such as Chrome, Edge, Firefox and so on, can support TLSv1.3 now. Please refer to “web management” document to enable encrypted HTTP.

Security problem

Security problem

OpenSSL released new versions to fix several serious security problems. miniSIPServer uses the OpenSSL library to provide the SIP over TLS feature and we upgrade miniSIPServer to V40 (20230221) versions which use the latest OpenSSL library.

If you have deployed “SIP over TLS” in your VoIP network, we strongly recommend that you upgrade miniSIPServer to the latest versions.

“SIP over TLS” enabled in cloud system

“SIP over TLS” enabled in cloud system

We upgraded cloud miniSIPServer system for some key features. The most important feature is “SIP over TLS”.

By default, cloud system opens TCP port 6060 to accept “SIP over TLS” messages. It is used to encrypt SIP messages. This feature is available for all virtual servers without any additional fee or configurations.

Now, SIP phones can connect to cloud miniSIPServer nodes with “SIP over TLS”, but “external line” and “SIP trunk” still can only use “SIP over UDP” to work with voip providers.

This feature can only encrypt SIP messages. If you want to encrypt media streams, such as audio stream and video stream, you need enable SRTP in your SIP phones. By default, media streams are bypass and processed by SIP phones themselves, cloud miniSIPServer will not process these media streams.

Please visit online document “SIP over TLS” for more details.

Refine “SIP over TLS”

Refine “SIP over TLS”

Some customers report a crash problem to us. All of them deploy “SIP over TLS” in their VoIP networks. We have upgraded miniSIPServer to latest V35 (build 20190313) with following key modifications.

(1) In the latest miniSIPServer, SSL library has been upgraded to the latest version.

(2) Only TLSv1.2 method is kept, that means SSLv2, SSLv3, TLSv1 and TLSv1.1 are cut. When we did research on customers’ problems, we found some bad guys were trying to use the bug of SSLv3 to hack into MSS. We have to move all these methods out to defend that. In future, we will add other methods, such as TLSv1.3. At this time, we need confirm SIP phones can support TLSv1.2 too if we want to deploy SIP over TLS.

In another way, we refine “SIP over TLS” document to provide a simple demo on how to create certificate files.

MYVOIPAPP.com is HTTPs enabled now.

MYVOIPAPP.com is HTTPs enabled now.

We were busy on migrating our official website to new cloud computing systems in the past week. At the same time, we configure HTTPS for our website by default.

Now when you visit our website with HTTP connection, it will be converted to HTTPS automatically. It will make sure of communication between you and our website to anti invalid watching or modifications.

Since our system has been built on new cloud systems, it should be more stabler and faster. If you have any problem when visiting our website, please update us. We are appreciated for that.