Last updated: 2026-02-11

Asterisk TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Asterisk PBX to encrypt SIP signaling traffic. Securing VoIP communications with TLS prevents eavesdropping on call setup and authentication credentials.

Prerequisites

• Asterisk 18 or later (with PJSIP, which is the recommended SIP channel driver)
• OpenSSL 1.1.1 or later
• SSL certificates (server certificate, private key, and CA certificate)

Certificate Setup

Asterisk needs a certificate and private key for TLS. You can use certificates from a CA like Let's Encrypt, or generate self-signed certificates for internal use.

Combine your certificate and private key if needed (Asterisk often expects a combined PEM file):

cat /etc/asterisk/keys/cert.pem /etc/asterisk/keys/privkey.pem > /etc/asterisk/keys/asterisk.pem
chmod 640 /etc/asterisk/keys/asterisk.pem
chown root:asterisk /etc/asterisk/keys/asterisk.pem

PJSIP TLS Transport Configuration

PJSIP is the modern SIP channel driver in Asterisk and is recommended over the legacy chan_sip. Configure a TLS transport in pjsip.conf.

Transport Settings

[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5061

; Certificate files
cert_file = /etc/asterisk/keys/asterisk.pem
priv_key_file = /etc/asterisk/keys/privkey.pem
ca_list_file = /etc/asterisk/keys/ca.crt

; TLS method - tlsv1_2 sets the minimum version
; When using OpenSSL 1.1.1+, TLS 1.3 is also available
method = tlsv1_2

; Cipher suites (OpenSSL format)
cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

; Verify remote certificates
verify_server = yes
verify_client = no

Configuration Explained

• protocol = tls -- Enables TLS for this transport. SIP over TLS uses port 5061 by default.
• method = tlsv1_2 -- Sets the minimum TLS protocol version. With OpenSSL 1.1.1+, both TLS 1.2 and TLS 1.3 are available.
• cipher -- Restricts the allowed cipher suites to strong AEAD ciphers with forward secrecy.
• verify_server = yes -- Verifies the server certificate when making outbound connections. Requires a valid ca_list_file.
• verify_client = no -- Set to yes if you want to require client certificates for mutual TLS authentication.

PJSIP Endpoint Configuration

Configure endpoints to use the TLS transport:

[my-trunk]
type = endpoint
transport = transport-tls
context = from-trunk
disallow = all
allow = ulaw
allow = alaw
media_encryption = sdes
; ... other endpoint settings

The media_encryption = sdes setting enables SRTP for encrypting the audio stream in addition to the SIP signaling. Other options include:

• no -- No media encryption
• sdes -- SDES key exchange for SRTP (most common)
• dtls -- DTLS-SRTP key exchange (more secure, but less widely supported)

SRTP for Media Encryption

TLS only encrypts SIP signaling (call setup). To encrypt the actual audio/media, enable SRTP. With PJSIP, set media_encryption on the endpoint as shown above.

For mandatory SRTP (reject unencrypted media):

[my-endpoint]
type = endpoint
media_encryption = sdes
media_encryption_optimistic = no

Setting media_encryption_optimistic = no means the call will fail if SRTP cannot be negotiated, rather than falling back to unencrypted RTP.

Legacy chan_sip Configuration

If you are still using the legacy chan_sip driver (not recommended for new deployments), configure TLS in sip.conf:

[general]
tlsenable = yes
tlsbindaddr = 0.0.0.0:5061
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlsprivatekey = /etc/asterisk/keys/privkey.pem
tlscafile = /etc/asterisk/keys/ca.crt
tlscipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
tlsclientmethod = tlsv1_2

Note: chan_sip is deprecated. New installations should use PJSIP.

Complete PJSIP Example

A minimal pjsip.conf with TLS and SRTP:

; TLS transport
[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5061
cert_file = /etc/asterisk/keys/asterisk.pem
priv_key_file = /etc/asterisk/keys/privkey.pem
ca_list_file = /etc/asterisk/keys/ca.crt
method = tlsv1_2
cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
verify_server = yes
verify_client = no

; SIP trunk with TLS and SRTP
[my-provider]
type = endpoint
transport = transport-tls
context = from-external
disallow = all
allow = ulaw
allow = alaw
media_encryption = sdes
media_encryption_optimistic = no

[my-provider]
type = aor
contact = sip:sip.provider.example.com:5061\;transport=tls

[my-provider]
type = identify
endpoint = my-provider
match = sip.provider.example.com

Verification

Reload the PJSIP configuration and verify the TLS transport is active:

asterisk -rx "module reload res_pjsip.so"
asterisk -rx "pjsip show transports"

Verify TLS is working on the expected port:

openssl s_client -connect your-asterisk-server:5061

Check active channels for encryption:

asterisk -rx "pjsip show channels"