Table of Contents
SIP Trunk Encryption
- SIP Digest Authentication is only an MD5 hash of username, password, SIP URI and other components of the SIP messages.
- SIP Digest Authentication does not provide confidentiality of signaling packets
- SIP Trunk Encryption can be used for that
- SIP trunk encryption uses TLS for SIP
- TLS authentication is based on certificates
- CUCM must trust the issuer of the certificate of the peer:
- Can be self-signed
- Can be issued by a CA
- Subject used in the TLS certificate exchange has to be configured.
- HMAC is used for authentication.
- SIP trunk encryption protects only signaling.
- No SRTP support on SIP trunks.
Configuration
SIP Trunk Security Profile
- Set the Device Security Mode to Encrypted
- Set the X.509v3 certificate subject name used by the peer
SIP Trunk
- Apply SIP trunk security profile to the trunk
Peer Certificate
- Add the certificate of the issuer of the certificate of the peer to CUCM