3CX Trunk TLS and SRTP Functionality
Introduction
3CX supports TLS authentication and SRTP for supported providers that were tested and are compatible with the 3CX SIP engine. Not all providers that support TLS and SRTP can work with 3CX as not all implementations are the same.
TLS
Limitations
- 3CX supports only authentication based providers for TLS. IP based providers are not supported.
- Mutual authentication is not supported as 3CX needs to be the UAC in every TLS handshake.
- Wildcard certificates are not supported. The certificate must match the provider's FQDN exactly.
- The provider must use an FQDN, IP addresses are not supported for TLS. If the provider is also using a proxy address that must also be an FQDN.
How it works
Setting up the trunk
There are a few steps and guidelines that need to be followed in order to get your SIP trunk to use TLS. The following steps assume that you have an authentication based trunk already configured and running.
3CX supported providers include instructions on how to enable TLS in their respective configuration guides found here.
- Switch the transport mode to TLS under the “Options” tab of your trunk settings.
- A new option will appear that will request to upload a certificate. You will need to upload the root certificate that was used to sign the provider's certificate. If this is a self signed certificate then you will need the self signed certificate. You can usually download the certificate from the providers configuration guides or request it directly from your provider.
- If the provider does not have NAPTR / SRV records for TLS you need to set the port manually next to the “Registrar” or “Outbound Proxy” value to the TLS port of your provider (usually 5061), otherwise leave the “Auto Discovery” option checked.
- Press “OK” to confirm your changes.
Under the hood
Assuming you followed the above steps correctly (and perhaps a few extra steps specific to your provider) the trunk is now set up. So what happens now?
- The PBX will perform a DNS query for TLS records as described here and will establish a target.
- A TCP connection will be attempted by the PBX towards the target IP.
- Assuming the TCP connection was successful the PBX will initiate a TLS handshake acting as the user agent client (UAC) and will send a Client Hello message.
- The provider will then send a Server Hello message back to 3CX along with other information but will include its certificate chain and the common name of the certificate along with any subject alternate names (SANs).
- The PBX will try to match that common name with the provider's “Registrar” value used in the provider's settings.
- It will also try to verify the certification chain using the root certificate added in the previous steps.
- If everything checks out then an encrypted registration message will be sent out to the provider.
- Assuming the registration is also successful, all subsequent communication between the provider and your PBX will be performed using the established TLS connection.
There is a lot more data sent between the provider and the PBX during a TLS handshake but the above steps cover the basic procedure followed during a TLS handshake. If the TLS connection goes down then the same procedure will be followed before the next registration attempt of the PBX.
Troubleshooting
- For TLS to be attempted by the PBX the “Secure SIP/TLS” setting of the PBX must be enabled and the Certificate and Private Key values filled in correctly. The setting is located under the “Security → Secure SIP” menu of the PBX. This is on by default, but it is worth checking in the event that the PBX does not initiate a TLS request. .
- In some cases an intermediate certificate may be missing from the Server Hello so it might be needed to add it to the certificate uploaded to the PBX.
- Make sure your provider meets all requirements mentioned above.
SRTP
Introduction to SRTP
3CX provides the ability to use SRTP either alongside TLS or by itself. It works for all types of providers (if supported by them) and it does not matter if your provider is using a FQDN or an IP address. It is used to encrypt audio and the negotiation is done per call between the two ends. It does not encrypt SIP messages, so for this reason it is commonly used to complement TLS by adding an additional layer of security. Not all providers support this however, so make sure your provider supports it before enabling it.
What do these mean?
There are 3 SRTP settings to choose from in 3CX that are made to suit most providers.
Disabled
This option disables SRTP for the trunk so calls will never be negotiated with SRTP.
Enabled
This enables SRTP so the PBX can negotiate SRTP both on inbound and outbound calls but retains the ability to negotiate non secure RTP if necessary. For outbound calls this means that the PBX will give the option to the provider by offering both secure (SRTP) and non-secure RTP. It’s up to the provider to choose between the two and reply accordingly. For inbound calls it means that the PBX will accept both secure and non secure RTP. If the provider offers both then the PBX will try to select the secure audio.
Enforced
This enables SRTP for the trunk but it will force the trunk to only offer and accept SRTP requests. For outbound calls the PBX will only include SRTP in its offer to the provider. If the provider declines the offer then the call will fail. For inbound calls the PBX will only accept SRTP offers. If there is no SRTP offer from the provider then the call will drop.
The “Enforced” option is used by providers that do not support double offers and by users that want to be sure that their audio is encrypted.
Setup
Enabling SRTP is pretty straightforward and it is done per trunk for extra flexibility. All you have to do is:
- Navigate to your trunk settings → Options and locate the option SRTP Mode.
- Select the correct option for your provider and click OK on the top to save your configuration.
The next inbound or outbound call will be negotiated with SRTP according to the option you selected.
Last Updated
This document was last updated on 25 July 2024
版权所有 三思客软件(深圳)有限公司