Setup SIP-over-TLS + SRTP for voip.ms

Security and Privacy
#1

I would like to setup SIP-over-TLS + SRTP for voip.ms.

Here are the steps I did to setup Jami on my Android phone:

  • Install Jami from F-droid
  • Create a SIP account following this post
  • Follow the Jami wiki on voip.ms for the basic configuration.
  • Go to the security options of the SIP account
  • Activate: Encrypt media streams (SRTP)
  • Activate: Use TLS Transport

What I did afterward:

  • Call 4443 to do the echo test

Expected result:

  • The call goes through
  • I can here the instructions
  • I speak and I can hear myself back.

What happened:

  • The call cuts off
  • It is written: Missed outgoing call

N.B.: When I do not encrypt, the echo test works fine.

What should I do to setup the encryption for voip.ms?

#2

I solved the issue today:

Here is how to setup SIP-over-TLS SRTP for voip.ms:

  • Install Jami from F-droid
  • Create a SIP account following this post
  • Follow the Jami wiki on voip.ms for the basic configuration.
  • Go to the security options of the SIP account
  • Activate: Encrypt media streams (SRTP)
  • *** Activate: Enable SDES as key exchange protocol ***
  • Activate: Use TLS Transport
1 Like
#3

Is this still working for you? I only get connection error.

#4

I do get connection error every once in a while. If I disconnect and reconnect, it becomes online again, no connection error.

Update:
I just realized that the voip encryption setup above only works halfway. Outgoing calls work, but not incoming calls. When I call my Jami sip, I hear from the callers end a voip.ms message that the number I called is unavailable. From the Jami sip point of view, the status is online. On my voip.ms portal, it said that my Jami sip is registered.

I can receive incoming calls only if I deactivate TLS Transport.

How should I configure the TLS Transport so I can receive incoming calls?

#5

I just now got it to work with the following:

When creating the account, use the following hostname format:

subdomain.voip.ms:5061;transport=tls

I made only the following changes in the Account settings:

  • Enable ‘Encrypt media streams (SRTP)’
  • Enable ‘Enable SDES as key exchange protocol’
  • Enable ‘Use TLS Transport’

I can also see in the voip.ms interface that I the account is securely registered.

One odd item is that I have two voip.ms accounts logged into the same Jami app and both are configured identically. One of the accounts voip.ms shows as as not registered, but Jami says it is online I can make calls with it no problem.

#6

I just sorted out an additional issue that I didn’t see before.

After some time, both logged in accounts could not make an outbound call (did not test inbound). Logging an account out and back in seemed to fix this. I thought that not setting registration expiration time to 120 could be the cause, so I set that to 120.

However, the only way I fixed this was to delete the second account, because the issue occurred even when the second account was disabled for a period.

The clue was that the voip.ms interface showed only the second account logged in and the first account not logged in, even though each has a unique set of login credentials.

What I am now testing is adding the second account using a different subdomain. Immediately, the voip.ms interface shows both accounts logged in securely, which it was not doing before, and both can successfully call 4443.

Something else I’ve discovered is that I can’t figure out how to get SMS text messages to work.

#7

I did the following:

  • On Jami, the account is online.
  • On the portal, it is registered.
  • I still can’t receive incoming calls.
  • Echo test works.

To test incoming call:

  • I create a new subaccount (e.g.: [number]_incoming)
  • I use that subaccount to call the DID associated with the account in Jami, from another device (in my case a Linphone on my desktop)

Also incoming SMS does not get through.

When you gonna test the incoming calls, can you post your result here?

#8

Indeed, I did some testing later and you are correct that it cannot receive calls.

#9

When I do this:

  • Create a SIP account following this post
  • Follow the Jami wiki on voip.ms for the basic configuration.
  • Go to the security options of the SIP account
  • Activate: Encrypt media streams (SRTP)
  • Activate: Enable SDES as key exchange protocol
  • Activate: Use TLS Transport

result:

  • On Jami, the account is online.
  • On the portal, it is registered, but no secure transport
  • I can receive incoming calls.
  • Echo test works.

If I add:

  • Activate: Use TLS Transport
  • Permutate between 5061 (voip.ms TLS port) and the default value for whatever port options available.

result:

  • On Jami, the account is online.
  • On the portal, it is registered with secure transport
  • I cannot receive incoming calls.
  • Echo test works.

It must be something related to TLS configuration in Jami.
There are many TLS options underneath “Use TLS Transport”. I don’t know how to set these options to make encrypted voip work properly.

Among the TLS options, there are 3 which have red exclamation marks:

  • Certification Authorities
  • Certificate File
  • Private Key File

Regarding SMS:

  • Messages sent from Jami SIP (encrypted) is not received on the voip.ms portal.
  • Messages sent to Jami SIP (encrypted) is not received.
  • Messages sent from Jami SIP (unencrypted) is received on the voip.ms portal.
  • Messages sent to Jami SIP (unencrypted) is not received.
1 Like
#10

Is it possible you can report this to the project?

https://docs.jami.net/guides/how-to-report-bugs.html

1 Like
#11

Here is the bug report:

Regarding SMS, I think there is already another bug report about it:

1 Like