Asterisk TLS & SRTP Encryption Setup

By default, SIP signaling and RTP audio are sent in plaintext. Anyone with network access can intercept and read SIP messages (including credentials) and record voice calls using tools like Wireshark or tcpdump.

Option A: Self-Signed Certificate (Quick Setup)

# Create certificate directory
mkdir -p /etc/asterisk/keys
cd /etc/asterisk/keys

# Generate CA (Certificate Authority) key and certificate
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/CN=Asterisk CA/O=My Company/C=US"

# Generate Asterisk server key and CSR
openssl genrsa -out asterisk.key 2048
openssl req -new -key asterisk.key -out asterisk.csr \
  -subj "/CN=pbx.example.com/O=My Company/C=US"

# Sign the server certificate with our CA
openssl x509 -req -days 3650 -in asterisk.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out asterisk.crt

# Create combined PEM file (key + cert)
cat asterisk.key asterisk.crt > asterisk.pem

# Set permissions
chown asterisk:asterisk /etc/asterisk/keys/*
chmod 600 /etc/asterisk/keys/*.key
chmod 600 /etc/asterisk/keys/*.pem

Option B: Let's Encrypt (Production Recommended)

# Install certbot
apt-get install certbot

# Get certificate (your domain must point to this server)
certbot certonly --standalone -d pbx.example.com

# Certificates are stored in:
# /etc/letsencrypt/live/pbx.example.com/fullchain.pem
# /etc/letsencrypt/live/pbx.example.com/privkey.pem

# Create symlinks or copy for Asterisk:
cp /etc/letsencrypt/live/pbx.example.com/fullchain.pem \
   /etc/asterisk/keys/asterisk.crt
cp /etc/letsencrypt/live/pbx.example.com/privkey.pem \
   /etc/asterisk/keys/asterisk.key
cat /etc/asterisk/keys/asterisk.key \
    /etc/asterisk/keys/asterisk.crt > /etc/asterisk/keys/asterisk.pem
chown asterisk:asterisk /etc/asterisk/keys/*

# Set up auto-renewal hook to copy certs and reload Asterisk:
# In /etc/letsencrypt/renewal-hooks/deploy/asterisk.sh:
#!/bin/bash
cp /etc/letsencrypt/live/pbx.example.com/fullchain.pem /etc/asterisk/keys/asterisk.crt
cp /etc/letsencrypt/live/pbx.example.com/privkey.pem /etc/asterisk/keys/asterisk.key
cat /etc/asterisk/keys/asterisk.key /etc/asterisk/keys/asterisk.crt > /etc/asterisk/keys/asterisk.pem
chown asterisk:asterisk /etc/asterisk/keys/*
asterisk -rx "core reload"

; In pjsip.conf:

; Keep the UDP transport for non-encrypted clients
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060

; Add TLS transport
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
; For Let's Encrypt, use system CA:
; ca_list_file=/etc/ssl/certs/ca-certificates.crt

; TLS method (use TLSv1.2 minimum for security)
method=tlsv1_2

; Verify client certificates (optional, for mutual TLS)
; verify_client=no
; verify_server=no

; Cipher list (use strong ciphers only)
; cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

; WebSocket TLS transport (for WebRTC)
[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0:8089
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2

; In pjsip.conf - per endpoint:
[secure-phone]
type=endpoint
transport=transport-tls
context=internal
disallow=all
allow=ulaw
allow=alaw

; Enable SRTP (SDES key exchange over TLS signaling)
media_encryption=sdes
; Options:
;   no       - No SRTP (default)
;   sdes     - SDES key exchange (requires TLS signaling)
;   dtls     - DTLS-SRTP (for WebRTC)

; Require encryption (reject unencrypted calls)
media_encryption_optimistic=no
; Set to "yes" to allow fallback to unencrypted if peer doesn't support it

; For WebRTC endpoints (DTLS-SRTP):
[webrtc-endpoint]
type=endpoint
transport=transport-wss
context=internal
disallow=all
allow=opus
allow=ulaw
media_encryption=dtls
dtls_auto_generate_cert=yes
; Or specify certificates:
; dtls_cert_file=/etc/asterisk/keys/asterisk.pem
; dtls_ca_file=/etc/asterisk/keys/ca.crt
; dtls_setup=actpass
; dtls_verify=fingerprint
webrtc=yes

chan_sip SRTP (Legacy):

; In sip.conf:
[general]
tlsenable=yes
tlsbindaddr=0.0.0.0:5061
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1_2

[secure-phone]
type=friend
transport=tls
encryption=yes       ; Require SRTP
encryption_taglen=32 ; SRTP auth tag length

# Open TLS SIP port (in addition to standard SIP port)
iptables -A INPUT -p tcp --dport 5061 -j ACCEPT

# Open WebSocket Secure port (for WebRTC)
iptables -A INPUT -p tcp --dport 8089 -j ACCEPT

# RTP ports remain the same (SRTP uses same ports as RTP)
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

# Optional: Block unencrypted SIP to force TLS
# iptables -A INPUT -p udp --dport 5060 -j DROP
# iptables -A INPUT -p tcp --dport 5060 -j DROP

# Verify TLS transport is loaded
asterisk -rx "pjsip show transports"

# Test TLS connectivity from external machine
openssl s_client -connect pbx.example.com:5061

# Check certificate validity
openssl x509 -in /etc/asterisk/keys/asterisk.crt -text -noout

# Check certificate expiry
openssl x509 -in /etc/asterisk/keys/asterisk.crt -enddate -noout

# Enable debug for TLS issues
asterisk -rx "pjsip set logger on"
asterisk -rx "core set debug 5"

# Common errors and fixes:
# "SSL routines:ssl3_get_record:wrong version number"
#   -> Client connecting with TLS to non-TLS port (5060 vs 5061)

# "certificate verify failed"
#   -> CA certificate not trusted; add ca_list_file or set verify_server=no

# "unable to get local issuer certificate"
#   -> Missing intermediate CA cert; use fullchain.pem not just cert.pem

# "no shared cipher"
#   -> TLS version or cipher mismatch; try method=tlsv1_2

# SRTP "crypto attribute not found"
#   -> Remote side does not support SRTP; set media_encryption_optimistic=yes