Last updated: 2026-02-13

Kamailio TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Kamailio SIP proxy to encrypt SIP signaling traffic. Securing SIP communications with TLS prevents eavesdropping on call setup, registration, and authentication credentials.

Prerequisites

• Kamailio 5.6 or later
• OpenSSL 1.1.1 or later
• The tls module (included in standard Kamailio packages)
• SSL certificates (server certificate, private key, and CA certificate)

RHEL/CentOS: Install the TLS module with dnf install kamailio-tls.

Debian/Ubuntu: Install the TLS module with apt install kamailio-tls-modules.

Certificate Setup

Kamailio uses PEM-formatted certificate files. Place your certificates in a dedicated directory:

mkdir -p /etc/kamailio/ssl
chmod 750 /etc/kamailio/ssl
chown kamailio:kamailio /etc/kamailio/ssl

cp server.crt /etc/kamailio/ssl/server-cert.pem
cp server.key /etc/kamailio/ssl/server-key.pem
cp ca.crt /etc/kamailio/ssl/ca.pem

chmod 640 /etc/kamailio/ssl/*.pem
chown kamailio:kamailio /etc/kamailio/ssl/*.pem

Loading the TLS Module

Add the TLS module and its parameters to your kamailio.cfg:

#!define WITH_TLS

loadmodule "tls.so"

# Path to the TLS-specific configuration file
modparam("tls", "config", "/etc/kamailio/tls.cfg")

# TLS connection timeout (seconds)
modparam("tls", "tls_connection_timeout", 60)

# Enable TLS logging for debugging (set to 0 in production)
modparam("tls", "tls_log", 3)

# Disable older protocols globally
modparam("tls", "tls_disable_tlsv1", 1)
modparam("tls", "tls_disable_tlsv1_1", 1)

TLS Configuration -- tls.cfg

The tls.cfg file defines TLS profiles for server and client connections. Each profile can specify its own certificates, protocols, and cipher suites.

Default Server Profile

The default server profile applies to incoming TLS connections that don't match a specific domain profile:

[server:default]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/server-cert.pem
private_key = /etc/kamailio/ssl/server-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
require_certificate = no
verify_certificate = no
verify_depth = 4

Default Client Profile

The default client profile applies to outgoing TLS connections:

[client:default]
method = TLSv1.2+
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
verify_certificate = yes
verify_depth = 4
require_certificate = yes

Per-Domain Profiles

You can define TLS profiles for specific domains. This is useful when different SIP peers require different certificates or trust settings:

[server:sip.example.com]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/example-cert.pem
private_key = /etc/kamailio/ssl/example-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
require_certificate = yes
verify_certificate = yes
verify_depth = 4

[client:sip.provider.example.com]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/server-cert.pem
private_key = /etc/kamailio/ssl/server-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
verify_certificate = yes
verify_depth = 4

Configuration Explained

• method = TLSv1.2+ -- Sets the minimum TLS protocol version to 1.2, allowing both TLS 1.2 and TLS 1.3.
• cipher_list -- OpenSSL cipher string for TLS 1.2. Restricts to AEAD ciphers with forward secrecy.
• ciphersuites -- OpenSSL ciphersuites string for TLS 1.3. Separate from cipher_list.
• require_certificate -- Set to yes to require the remote side to present a certificate (mutual TLS).
• verify_certificate -- Set to yes to verify the remote certificate against the CA list.
• verify_depth -- Maximum certificate chain verification depth.

SIP Listener Configuration

Configure Kamailio to listen for SIP over TLS on port 5061. Add the listener to kamailio.cfg:

listen = tls:0.0.0.0:5061

To listen on both UDP/TCP and TLS simultaneously:

listen = udp:0.0.0.0:5060
listen = tcp:0.0.0.0:5060
listen = tls:0.0.0.0:5061

To force TLS for all SIP traffic, remove the UDP and TCP listeners and only listen on TLS. You can also enforce TLS in routing logic:

# In the request_route block, reject non-TLS traffic
if (!($pr == "tls" || $pr == "wss")) {
    sl_send_reply("403", "TLS Required");
    exit;
}

Complete Configuration

kamailio.cfg (TLS-related excerpt)

#!define WITH_TLS

# Load TLS module
loadmodule "tls.so"

# TLS module parameters
modparam("tls", "config", "/etc/kamailio/tls.cfg")
modparam("tls", "tls_connection_timeout", 60)
modparam("tls", "tls_log", 3)
modparam("tls", "tls_disable_tlsv1", 1)
modparam("tls", "tls_disable_tlsv1_1", 1)

# SIP listeners
listen = udp:0.0.0.0:5060
listen = tcp:0.0.0.0:5060
listen = tls:0.0.0.0:5061

tls.cfg

# Default server profile
[server:default]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/server-cert.pem
private_key = /etc/kamailio/ssl/server-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
require_certificate = no
verify_certificate = no
verify_depth = 4

# Default client profile
[client:default]
method = TLSv1.2+
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
verify_certificate = yes
verify_depth = 4
require_certificate = yes

Client Configuration

SIP Phones

Configure SIP phones and softphones to use TLS:

• Transport: TLS
• SIP Port: 5061
• Server: sips:kamailio.example.com:5061
• CA Certificate: Import the CA certificate if using self-signed or private CA certificates

Most modern SIP phones (Polycom, Yealink, Cisco) support TLS transport configuration in their web interface under SIP account settings.

SIP Trunks

For outbound SIP trunk connections over TLS, configure the trunk peer in your routing logic to use TLS and the appropriate client profile:

# Route to TLS trunk
$du = "sip:sip.provider.example.com:5061;transport=tls";
t_relay();

The client TLS profile matching sip.provider.example.com in tls.cfg will be used automatically.

Verification

Check that the TLS listener is active using kamcmd:

kamcmd tls.info
kamcmd core.sockets_list

Test the TLS connection with openssl:

openssl s_client -connect kamailio.example.com:5061

Test with sipsak over TLS:

sipsak -s sip:test@kamailio.example.com:5061 --tls

Check the Kamailio logs for TLS handshake information:

grep -i tls /var/log/kamailio/kamailio.log