Encrypting calls with TLS and SRTP

This topic describes how to set up secure communications for inbound calls with these protocols:

  • Use SIP/TLS to encrypt call control

  • Use SRTP to encrypt the audio media

Here's a reminder of the deployment architecture:

SIP/TLS and SRTP traffic between key components:

Your gateway uses ts.SIPDefaultGateway to communicate with Nuance Speech Server via RTP or with the Telephony Session service via SIP/TLS.

Note: To connect to the Telephony Session service via SIP/TLS signaling, you must disable ts.RTPBridge in the Telephony Session service.

Callflow:

  1. Your interface to the Voice Browser service uses SIP/TLS to exchange messages and establish calls with the Telephony Session service. (Your interface is whatever connects telephone calls: a gateway, a session controller, the PSTN, or whatever).
  2. The system uses SIP/UDP to exchange call establishment messages between the Telephony Session service, the Voice Browser service, the Nuance Speech Server. The SIP messages contain SDP parameters required to create the SRTP session.
  3. The system uses the SRTP session to exchange media between the external endpoint and the Speech Server.

Configuration:

  • Enable SIP/TLS and SRTP in your interface.

  • Acquire (generate) and exchange signed certificates to enable mutual authentication of the Telephony Session service and your external endpoint (gateway).

    • For testing in a development environment, you can create self-signed certificates.
    • For deploying in a production environment, acquire certificates that are signed by a Certificate Authority (CA).

  • Required. Use these naming conventions when generating certificates:

    For the Telephony Session service certificate use the naming format: domain_cert_CommonName.pem (replace CommonName with the actual value).

    For the Telephony Session service key use the naming format domain_key_CommonName (replace CommonName with the same value as the certificate).

    For the other party Trusted certificate, use the naming format root_cert_CommonName.pem (replace CommonName in other party's actual value).

    For example, if you were anticipating the default values of the ts.SIPExtDomainName and ts.SIPIntDomainName parameters, you'd use nuance.com as the common name and the values would be domain_cert_nuance.com.pem, domain_key_nuance.com.pem, and domain_cert_nuance.com.pem. Alternatively, if you entered a value such as the server IP address as the common name, your names would resemble these examples: domain_cert_192.168. 0.0.pem, domain_key_192.168. 0.0.pem, and domain_cert_192.170. 0.0.pem.

  • Optional. You can use certificate bundles as an alternative for the other party (with the CA certificate chain in the bundle and the external endpoint/gateway outside the bundle). Use these naming conventions:

    CA certificate chain bundle—root_cert_CommonName.pem (replace CommonName with the common name of the last CA in the chain).

    Endpoint certificate —root_cert_CommonName.pem (replace CommonName with the other party's common name).

  • Configure the security parameters in the Telephony Session service:
Parameters Values Default Description
ts.SIPExtSecurity   off (disabled)

Tells the Telephony Session service to expect TLS and SRTP your external interface (the Gateway side).

off = Not expected (default)

accept = Accept if present

require = Always required. All SIP and RTP packets must use security protocols (TLS/SRTP). Overrides UDP and TCP parameters.
ts.SIPIntSecurity

off

accept

 off (disabled)

Specifies how the Telephony Session service uses TLS and SRTP internally (the Voice Browser service side).

off = Do not use secure SIP (default)

accept = Use if external interface uses SIP and RTP secured (TLS/SRTP) communications

ts.SIPExtTlsPort Integer (a port number)

audio.sip.UserAgentPort + 1 (5061)

Telephony Session service port for TLS communication with your external interface (the Gateway side).
ts.SIPIntTlsPort Integer (a port number)

ts.SIPLocalPort + 1 (5065)

Telephony Session service port for TLS communication on the Voice Browser service side.
ts.SIPExtCertsPath String (a fully qualified directory path)

Windows: %NUANCETS%\sipCerts

Linux: $NUANCETS/sipCerts

Path to the certificate store created on the Telephony Session service host that contains the public certificate of your external interface (the Gateway side).
ts.SIPIntCertsPath String (a fully qualified directory path)

Windows: %NUANCETS%\sipCerts

Linux: $NUANCETS/sipCerts

Path to the certificate store created on the Telephony Session service host that contains the public certificate on the Voice Browser service side.
ts.SIPExtDomainName String nuance.com

Common Name (CN) or Fully Qualified Domain Name (FQDN) that was used to create the Telephony Session service certificate for your external interface (the Gateway side).
ts.SIPIntDomainName String nuance.com

Common Name of the certificate on the Voice Browser service host (the domain used when creating the certificate).

Common Name (CN) or Fully Qualified Domain Name (FQDN) used to create the Telephony Session service certificate on the Voice Browser service side.