So voip.ms emailed this morning that they just enabled encrypted calls.
YAY!
I turned it on for one of my subaccounts using a grandstream HT702 ATA.
I can report so far so good. Works.
In grandstream I go into FXS Port 1 tab
Change SIP transport to: TLS
Change SRTP mode to: Enabled and forced
Their notes indicate you must not be using the generic city server hostname so I changed mine to vancouver1.voip.ms
reboot the box and it is now registered and the subaccount shows the lock icon and transport TLS on the registration status on voip.ms
I see they are using letsencrypt for their SSL certificates instead of a wildcard or SAN cert so I guess for now it must be the specific hostname. Maybe when out of beta they can use a wildcard cert to let you connect to vancouver.voip.ms or whatever city name you want or change their letsencrypt settings to request SAN certificates with the generic city host name included.
---
Certificate chain
0 s:/CN=vancouver1.voip.ms
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
You must do 4 things.
https://wiki.voip.ms/article/Call_Encryption_-_TLS/SRTP
1. Opt in your account to their beta program (https://voip.ms/m/beta.php)
2. In the subaccount you will use for the device enable the Encrypted SIP Traffic setting in advanced.
3. Set your device to use TLS transport and port number 5061, 5081, or 42873 Your server hostname must include the server number to match the SSL certificate on the server. (vancouver1.voip.ms for example instead of just vancouver.voip.ms)
4. Set your device to use SRTP media encryption. (forced or required settings instead of optional when given that choice)
You do not require a client side SSL certificate. So most advanced SSL certificate fields can be left blank.
↧