Last updated: 2026-02-13
FreeSWITCH TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for FreeSWITCH to encrypt SIP signaling traffic. Securing VoIP communications with TLS prevents eavesdropping on call setup and authentication credentials.
Prerequisites
- FreeSWITCH 1.10 or later
- OpenSSL 1.1.1 or later
- SSL certificates (server certificate, private key, and CA certificate)
Certificate Setup
FreeSWITCH uses PEM-formatted certificate files. Place your certificates in the FreeSWITCH configuration directory:
mkdir -p /etc/freeswitch/tls
chmod 750 /etc/freeswitch/tls
chown freeswitch:freeswitch /etc/freeswitch/tls
cp server.crt /etc/freeswitch/tls/server-cert.pem
cp server.key /etc/freeswitch/tls/server-key.pem
cp ca.crt /etc/freeswitch/tls/ca.pem
chmod 640 /etc/freeswitch/tls/*.pem
chown freeswitch:freeswitch /etc/freeswitch/tls/*.pem
FreeSWITCH can also use a combined certificate file containing the certificate and private key:
cat /etc/freeswitch/tls/server-cert.pem /etc/freeswitch/tls/server-key.pem > /etc/freeswitch/tls/agent.pem
chmod 640 /etc/freeswitch/tls/agent.pem
chown freeswitch:freeswitch /etc/freeswitch/tls/agent.pem
SIP Profile TLS Configuration
Configure TLS in the SIP profile XML files. The internal and external profiles are typically located in sip_profiles/internal.xml and sip_profiles/external.xml.
Internal Profile (LAN Phones)
Edit sip_profiles/internal.xml:
<param name="tls" value="true"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="5061"/>
<param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
<param name="tls-version" value="tlsv1.2"/>
<param name="tls-ciphers" value="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="none"/>
<param name="tls-verify-depth" value="4"/>
External Profile (Trunks)
Edit sip_profiles/external.xml:
<param name="tls" value="true"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="5081"/>
<param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
<param name="tls-version" value="tlsv1.2"/>
<param name="tls-ciphers" value="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="subjects_all"/>
<param name="tls-verify-depth" value="4"/>
Configuration Explained
- tls-version = tlsv1.2 -- Sets the minimum TLS protocol version. With OpenSSL 1.1.1+, TLS 1.3 is also negotiated when available.
- tls-ciphers -- OpenSSL cipher string restricting to AEAD ciphers with forward secrecy.
- tls-cert-dir -- Directory containing
agent.pem(combined cert+key) andcafile.pemfiles. FreeSWITCH looks for these filenames by default. - tls-verify-policy -- Controls certificate verification for incoming connections:
- none -- No certificate verification (suitable for phones on a LAN)
- subjects_all -- Verify the certificate subject matches (recommended for trunks)
- in -- Verify inbound connections
- out -- Verify outbound connections
- all -- Verify both inbound and outbound
Note: When using
tls-cert-dir, FreeSWITCH expectsagent.pem(cert+key) andcafile.pem(CA) in that directory. Alternatively, you can specify individual files withtls-cert-file,tls-key-file, andtls-ca-cert-fileif your version supports it.
SRTP for Media Encryption
TLS only encrypts SIP signaling. To encrypt the audio/media stream, enable SRTP. Configure SRTP in vars.xml or per-profile:
Global SRTP Settings
In vars.xml:
<X-PRE-PROCESS cmd="set" data="rtp_secure_media=true"/>
<X-PRE-PROCESS cmd="set" data="rtp_secure_media_suites=AEAD_AES_256_GCM_8:AEAD_AES_128_GCM_8:AES_CM_256_HMAC_SHA1_80:AES_CM_128_HMAC_SHA1_80"/>
Per-Profile SRTP
In the SIP profile:
<param name="rtp-secure-media" value="true"/>
<param name="rtp-secure-media-suites" value="AEAD_AES_256_GCM_8:AEAD_AES_128_GCM_8:AES_CM_256_HMAC_SHA1_80:AES_CM_128_HMAC_SHA1_80"/>
Setting rtp_secure_media=true means FreeSWITCH requires SRTP. Calls that cannot negotiate SRTP will fail. Set to optional to allow fallback to unencrypted RTP.
Complete Configuration
sip_profiles/internal.xml (TLS excerpt)
<profile name="internal">
<settings>
<!-- SIP TLS -->
<param name="tls" value="true"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="5061"/>
<param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
<param name="tls-version" value="tlsv1.2"/>
<param name="tls-ciphers" value="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="none"/>
<param name="tls-verify-depth" value="4"/>
<!-- SRTP -->
<param name="rtp-secure-media" value="true"/>
<param name="rtp-secure-media-suites" value="AEAD_AES_256_GCM_8:AEAD_AES_128_GCM_8:AES_CM_256_HMAC_SHA1_80:AES_CM_128_HMAC_SHA1_80"/>
</settings>
</profile>
Client Configuration
SIP Phones
Configure SIP phones and softphones to use TLS:
- Transport: TLS
- SIP Port: 5061
- Server:
sips:freeswitch.example.com:5061 - CA Certificate: Import the CA certificate if using self-signed or private CA certificates
- SRTP: Enable SRTP/SDES in the phone's audio/codec settings
SIP Trunks
Configure outbound trunk gateways with TLS in the gateway XML:
<gateway name="my-trunk">
<param name="realm" value="sip.provider.example.com"/>
<param name="register-transport" value="tls"/>
<param name="contact-params" value="transport=tls"/>
</gateway>
Verification
Reload the SIP profiles and verify TLS is active:
fs_cli -x "sofia profile internal restart"
fs_cli -x "sofia status"
Verify the TLS listener:
openssl s_client -connect freeswitch.example.com:5061
Check active registrations for TLS transport:
fs_cli -x "sofia status profile internal reg"
Check the FreeSWITCH logs for TLS information:
grep -i tls /var/log/freeswitch/freeswitch.log