Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents



This tutorial makes use of SRTP and TLS. SRTP support was added in Asterisk 1.8, TLS was added in 1.6.

So you'd like to make some secure calls.

Here's how to do it, using Blink, a SIP soft client for Mac OS X, Windows, and Linux. You can find some brief instructions for installing Blink on Ubuntu on the wiki.

These instructions assume that you're running as the root user (sudo su -).

Part 1 (TLS)

Transport Layer Security (TLS) provides encryption for call signaling. It's a practical way to prevent people who aren't Asterisk from knowing who you're calling. Setting up TLS between Asterisk and a SIP client involves creating key files, modifying Asterisk's SIP configuration to enable TLS, creating a SIP peer that's capable of TLS, and modifying the SIP client to connect to Asterisk over TLS.


First, let's make a place for our keys.

No Format

mkdir /etc/asterisk/keys

Next, use the "ast_tls_cert" script in the "contrib/scripts" Asterisk source directory to make a self-signed certificate authority and an Asterisk certificate.

No Format

./ast_tls_cert -C -O "My Super Company" -d /etc/asterisk/keys -b 2048
  • The "-C" option is used to define our host - DNS name or our IP address.
  • The "-O" option defines our organizational name.
  • The "-d" option is the output directory of the keys.
  • The "-b" option specifies the size of the private key file, default is 1024 unless on master branch.
  1. You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key, put in something that you'll remember for later.
  2. This will create the /etc/asterisk/keys/ca.crt file.
  3. You'll be asked to enter the pass phrase again, and then the /etc/asterisk/keys/asterisk.key file will be created.
  4. The /etc/asterisk/keys/asterisk.crt file will be automatically generated.
  5. You'll be asked to enter the pass phrase a third time, and the /etc/asterisk/keys/asterisk.pem will be created, a combination of the asterisk.key and asterisk.crt files.

Next, we generate a client certificate for our SIP device.

No Format

./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C -O "My Super Company" -d /etc/asterisk/keys -o malcolm -b 2048
  • The "-m client" option tells the script that we want a client certificate, not a server certificate.
  • The "-c /etc/asterisk/keys/ca.crt" option specifies which Certificate Authority (ourselves) that we're using.
  • The "-k /etc/asterisk/keys/ca.key" provides the key for the above-defined Certificate Authority.
  • The "-C" option, since we're defining a client this time, is used to define the hostname or IP address of our SIP phone
  • The "-O" option defines our organizational name.
  • The "-d" option is the output directory of the keys."
  • The "-o" option is the name of the key we're outputting.
  • The "-b" option specifies the size of the private key file, default is 1024 unless on master branch.
  1. You'll be asked to enter the pass phrase from before to unlock /etc/asterisk/keys/ca.key.

Now, let's check the keys directory to see if all of the files we've built are there. You should have:

No Format


Next, copy the malcolm.pem and ca.crt files to the computer running the Blink soft client.

title.p12 Client Certificates

If your client requires a .p12 certificate file instead, you can generate that using openssl like:

Code Block
# openssl pkcs12 -export -out MySuperClientCert.p12 -inkey ca.key -in ca.crt -certfile asterisk.crt 


Asterisk chan_pjsip configuration

Now, let's configure Asterisk's PJSIP channel driver to use TLS.

In the sippjsip.conf configuration file, set the followingyou'll need to enable a TLS-capable transport.  An example of one would resemble:

No Format
tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client

Note the protocolcert_filepriv_key_file, and method options.  Here, we're using the TLS protocol, we're specifying the keys that we generated earlier for cert_file and priv_key_file and we're setting the method to SSLv23.

Next, you'll need to configure a TLS-capable endpoint.  An example of one would resemble:

No Format

Note the media_encryption option for the endpoint.  In this case, we've configured an endpoint that will be using SDES encryption for RTP.

You might be tempted to add a transport=transport-tls to the endpoint but in pjproject versions at least as late as 2.4.5, this will cause issues like Connection refused in a few situations.  Let pjproject do the transport selection on its own.  If you still see issues, set rewrite_contact = yes in the endpoint configuration.

Asterisk chan_sip configuration

Or, if you are using chan_sip, you can use the following to assist.

In the sip.conf configuration file, set the following:

No Format

Here, we're enabling TLS support.
We're binding it to our local IPv4 wildcard (the port defaults to 5061 for TLS).
We've set the TLS certificate file to the one we created above.
We've set the Certificate Authority to the one we created above. TLS Ciphers have been set to ALL, since it's the most permissive.
And we've set the TLS client method to TLSv1, since that's the preferred one for RFCs and for most clients.

Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Here's an example:

No Format

secret=malcolm ;note that this is NOT a secure password

Notice the transport option. The Asterisk SIP channel driver supports three types: udp, tcp and tls. Since we're configuring for TLS, we'll set that. It's also possible to list several supported transport types for the peer by separating them with commas.

Configuring a TLS-enabled SIP client to talk to Asterisk

Next, we'll configure Blink.


Then, we need to modify the Account Preferences, and under the SIP Settings, we need to set the outbound proxy to connect to the TLS port and transport type on our Asterisk server. In this case, there's an Asterisk server running on port 5061 on host

Now, we need to point the TLS account settings to the client certificate (malcolm.pem) that we copied to our computer.


Depending on your Asterisk CLI logging levels, you should see something like:

No Format
   -- Registered SIP 'malcolm' at
     > Saved useragent "Blink 0.22.2 (MacOSX)" for peer malcolm


Now, make a call. You should see a small secure lockbox in your Blink calling window to indicate that the call was made using secure (TLS) signaling:

Problems with server verification

If the host or IP you used for the common name on your cert doesn't match up with your server then you may run into problems when your client is calling Asterisk. Make sure the client is configured to not verify the server against the cert.

When calling from Asterisk to Blink or another client, you might run into an ERROR on the Asterisk CLI similar to this:

No Format
[Jan 29 16:04:11] DEBUG[11217]: tcptls.c:248 handle_tcptls_connection:  SSL Common Name compare s1='' s2=''
[Jan 29 16:04:11] ERROR[11217]: tcptls.c:256 handle_tcptls_connection: Certificate common name did not match (

This is the opposite scenario, where Asterisk is acting as the client and by default attempting to verify the destination server against the cert.

You can set tlsdontverifyserver=yes in sip.conf to prevent Asterisk from attempting to verify the server.

No Format
;        If set to yes, don't verify the servers certificate when acting as
;        a client.  If you don't have the server's CA certificate you can
;        set this and it will connect without requiring tlscafile to be set.
;        Default is no.


Part 2 (SRTP)

Now that we've got TLS enabled, our signaling is secure - so no one knows what extensions on the PBX we're dialing. But, our media is still not secure - so someone can snoop our RTP conversations from the wire. Let's fix that.

SRTP support is provided by libsrtp. libsrtp has to be installed on the machine before Asterisk is compiled, otherwise you're going to see something like:

No Format

[Jan 24 09:29:16] ERROR[10167]: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session.


With that complete, let's first go back into our peer definition in sip.conf. We're going to add a new encryption line, like:

No Format

secret=malcolm ;note that this is NOT a secure password


Reload Asterisk's SIP configuration (sip reload), make a call, and voilavoilà:

We're making secure calls with TLS (signaling) and SRTP (media).