Encrypting carrier traffic with TLS and SRTP

TLS encrypts the call setup messages between your server and the carrier; SRTP encrypts the audio itself. Together they keep both the signaling and the voice on your carrier link private. You turn them on by configuring the carrier peer to use the encrypted transport, but only if your carrier supports it.

Signaling vs media: two layers, two protocols

A call has two streams. The signaling layer is SIP (Session Initiation Protocol) messages (INVITE, ringing, answered, BYE) that set up and tear down the call. The media layer is RTP, the stream of audio packets. By default both travel in plaintext, so anyone on the path can read who you called and listen to the conversation.

• SIP over TLS wraps the SIP signaling in TLS, the same transport encryption browsers use for HTTPS. It hides call setup details and prevents tampering with the messages.
• SRTP encrypts the RTP audio so the voice cannot be captured and replayed. Without it, encrypting only the signaling still leaves the conversation in the clear.

When a carrier offers it

Not every Carrier sells encrypted trunks. Many wholesale routes are plain UDP SIP because TLS and SRTP add a little CPU cost and some carriers simply never built it. If encryption matters to you, ask the carrier directly whether they support SIP over TLS (usually on port 5061) and SRTP, and get the certificate or hostname details you need to validate the connection. If they do not offer it, no amount of local config will encrypt that hop.

How the secure call sets up

Once both sides agree on TLS and SRTP, a single outbound call flows like this:

sequenceDiagram
  participant V as VICIdial
  participant C as Carrier
  V->>C: TLS handshake on 5061
  C-->>V: Certificate verified
  V->>C: SIP INVITE with SRTP offer
  C-->>V: 200 OK with SRTP answer
  V->>C: Encrypted RTP audio
  C-->>V: Encrypted RTP audio
  V->>C: SIP BYE over TLS

Configuring the peer

On the VICIdial carrier entry, the Account Entry block is where you switch the Trunk to the encrypted transport. The exact lines depend on whether you run chan_sip or PJSIP, but the shape is the same: point the transport at TLS, set the encryption mode to SRTP, and tell it which port and certificate to trust. A simplified peer looks like this:

• Transport set to TLS so signaling rides port 5061 instead of plain UDP 5060.
• Media encryption set to require SRTP, so the call drops rather than falling back to plaintext audio.
• The carrier's host and the certificate path or hostname for validation.

Encryption sits on top of a working trunk, not instead of one. If you have not built the carrier entry yet, start with adding a carrier trunk, get a plain call connecting first, then add TLS and SRTP on top. After you save, wait about a minute for the conf files to regenerate, then place a single test call and confirm clean two-way audio before pointing campaigns at it.

For how the encrypted carrier link fits with trunks, dialplans, and routing, see our VICIdial carrier integration guide.

Every VICIfast box ships over HTTPS on a dedicated public IP, ready for you to point an encrypted carrier at, and it provisions in under 40 seconds. See our plans to begin.