Secure Media
Learn to secure your call media and signaling with Twilio Programmable Voice by enabling TLS for SIP signaling and SRTP for media packets. To do this, enable Secure Media in your SIP Domain for inbound calls or append the secure=true parameter to your SIP URI for outbound calls.
You can use this guide for self-service automation, inbound contact centers, outbound contact centers, and PSTN connectivity.
See Related reference documentation to learn more about the SIP and API elements used in this guide.
You can enable or disable Secure Media in your SIP Domain. It is disabled by default.
You can expect the following:
- Enabled: TLS must be used to encrypt SIP messages and SRTP must be used for the media packets. Any non-encrypted calls will be rejected.
- Disabled: RTP must be used for media packets. SIP messages may be sent in the clear or using TLS. Any SRTP encrypted calls will be rejected.
Info
- SRTP supports the following crypto suites:
AES_CM_128_HMAC_SHA1_80andAES_CM_128_HMAC_SHA1_32. Both may be included in an order of preference. - The optional master key identifier (MKI) parameter is not supported
Ensure you configure secure=true parameter as part of SIP URI to secure media in SIP outbound calls.
1<?xml version="1.0" encoding="UTF-8"?>2<Response>3<Dial>4<Sip>sip:jack@example.com;secure=true</Sip>5</Dial>6</Response>
The default port 5061 will be used for TLS.
Info
- Only a single crypto suite for SRTP will be included:
AES_CM_128_HMAC_SHA1_80 - The optional master key identifier (MKI) parameter is not supported
Asterisk ships by default with chan_sip driver and works well with Twilio. However, if you have some reason to run PJSIP driver with Asterisk, note the following:
Here is a guide to installing a non-bundled version of PJSIP. Change the version to 2.5.5 in the steps.
Warning
Asterisk 13.8 cert2 defaults to PJSIP 2.5 which will not work with Twilio for TLS/SRTP purposes. Non-encrypted calls will still work.
Make sure to use the latest PJSIP driver, which at this time is 2.5.5.
You may see following message in your log:
ERROR[10886]: pjproject:0 <?>: tlsc0x7f217c03 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
This message can be ignored.
This guide teaches the basics required for the following use cases:
You can use this guide to ensure that sensitive data collected during automated interactions, such as account numbers or PINs, remain encrypted. By enforcing TLS and SRTP, you protect user privacy during self-service tasks.
To learn more advanced features that you can use with self-service automation, see Voice self-service automation.
You can use this guide to secure customer communications coming from your SIP infrastructure into your contact center. This ensures compliance and security for all inbound agent interactions.
To learn more advanced features that you can use with inbound contact centers, see Voice inbound contact center.
You can use this guide to programmatically secure outbound calls made by your agents. Using the secure=true parameter ensures that telemarketing or support calls are encrypted from end to end.
To learn more advanced features that you can use with outbound contact centers, see Voice outbound contact center.
You can use this guide to bridge your private SIP network with Twilio's PSTN connectivity while maintaining strict encryption standards. This allows for secure global communication across different network types.
To learn more advanced features that you can use with PSTN connectivity, see Voice PSTN connectivity.
After following this guide, you can successfully encrypt SIP signaling and media packets for your voice calls. You can verify this by checking your SIP Domain configuration for inbound calls or by confirming the use of port 5061 and TLS negotiation in your SIP logs for outbound calls.
Explore the following guides to build on what you've learned in this guide:
- SIP: Explore the full list of features available for the Twilio SIP Interface.
- SIP API: Learn how to manage your SIP resources programmatically.
- Emergency Calling for SIP Interfaces: Understand how to handle emergency calls over secure SIP connections.
- How to add Programmability to your existing SIP network: Connect your infrastructure to Twilio's programmable logic.
- How to route calls to your SIP network with an outbound call: Securely route Twilio calls back to your private network.