Last updated: 2026-05-15

Kamailio TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Kamailio SIP proxy to encrypt SIP signaling traffic. Securing SIP communications with TLS prevents eavesdropping on call setup, registration, and authentication credentials.

Prerequisites#

• Kamailio 5.6 or later
• OpenSSL 1.1.1 or later
• The tls module (included in standard Kamailio packages)
• SSL certificates (server certificate, private key, and CA certificate)

RHEL/CentOS: Install the TLS module with dnf install kamailio-tls.

Debian/Ubuntu: Install the TLS module with apt install kamailio-tls-modules.

Certificate Setup#

Kamailio uses PEM-formatted certificate files. Place your certificates in a dedicated directory:

mkdir -p /etc/kamailio/ssl
chmod 750 /etc/kamailio/ssl
chown kamailio:kamailio /etc/kamailio/ssl

cp server.crt /etc/kamailio/ssl/server-cert.pem
cp server.key /etc/kamailio/ssl/server-key.pem
cp ca.crt /etc/kamailio/ssl/ca.pem

chmod 640 /etc/kamailio/ssl/*.pem
chown kamailio:kamailio /etc/kamailio/ssl/*.pem

Loading the TLS Module#

Add the TLS module and its parameters to your kamailio.cfg:

#!define WITH_TLS

loadmodule "tls.so"

# Path to the TLS-specific configuration file
modparam("tls", "config", "/etc/kamailio/tls.cfg")

# TLS connection timeout (seconds)
modparam("tls", "tls_connection_timeout", 60)

# Enable TLS logging for debugging (set to 0 in production)
modparam("tls", "tls_log", 3)

# Disable older protocols globally
modparam("tls", "tls_disable_tlsv1", 1)
modparam("tls", "tls_disable_tlsv1_1", 1)

TLS Configuration -- tls.cfg#

The tls.cfg file defines TLS profiles for server and client connections. Each profile can specify its own certificates, protocols, and cipher suites.

Default Server Profile#

The default server profile applies to incoming TLS connections that don't match a specific domain profile:

[server:default]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/server-cert.pem
private_key = /etc/kamailio/ssl/server-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
require_certificate = no
verify_certificate = no
verify_depth = 4

Default Client Profile#

The default client profile applies to outgoing TLS connections:

[client:default]
method = TLSv1.2+
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
verify_certificate = yes
verify_depth = 4
require_certificate = yes

Per-Domain Profiles#

You can define TLS profiles for specific domains. This is useful when different SIP peers require different certificates or trust settings:

[server:sip.example.com]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/example-cert.pem
private_key = /etc/kamailio/ssl/example-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
require_certificate = yes
verify_certificate = yes
verify_depth = 4

[client:sip.provider.example.com]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/server-cert.pem
private_key = /etc/kamailio/ssl/server-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
verify_certificate = yes
verify_depth = 4

Configuration Explained#

• method = TLSv1.2+ -- Sets the minimum TLS protocol version to 1.2, allowing both TLS 1.2 and TLS 1.3.
• cipher_list -- OpenSSL cipher string for TLS 1.2. Restricts to AEAD ciphers with forward secrecy.
• ciphersuites -- OpenSSL ciphersuites string for TLS 1.3. Separate from cipher_list.
• require_certificate -- Set to yes to require the remote side to present a certificate (mutual TLS).
• verify_certificate -- Set to yes to verify the remote certificate against the CA list.
• verify_depth -- Maximum certificate chain verification depth.

See RFC 8446 §4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

SIP Listener Configuration#

Configure Kamailio to listen for SIP over TLS on port 5061. Add the listener to kamailio.cfg:

listen = tls:0.0.0.0:5061

To listen on both UDP/TCP and TLS simultaneously:

listen = udp:0.0.0.0:5060
listen = tcp:0.0.0.0:5060
listen = tls:0.0.0.0:5061

To force TLS for all SIP traffic, remove the UDP and TCP listeners and only listen on TLS. You can also enforce TLS in routing logic:

# In the request_route block, reject non-TLS traffic
if (!($pr == "tls" || $pr == "wss")) {
    sl_send_reply("403", "TLS Required");
    exit;
}

Complete Configuration#

kamailio.cfg (TLS-related excerpt)#

#!define WITH_TLS

# Load TLS module
loadmodule "tls.so"

# TLS module parameters
modparam("tls", "config", "/etc/kamailio/tls.cfg")
modparam("tls", "tls_connection_timeout", 60)
modparam("tls", "tls_log", 3)
modparam("tls", "tls_disable_tlsv1", 1)
modparam("tls", "tls_disable_tlsv1_1", 1)

# SIP listeners
listen = udp:0.0.0.0:5060
listen = tcp:0.0.0.0:5060
listen = tls:0.0.0.0:5061

tls.cfg#

# Default server profile
[server:default]
method = TLSv1.2+
certificate = /etc/kamailio/ssl/server-cert.pem
private_key = /etc/kamailio/ssl/server-key.pem
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
require_certificate = no
verify_certificate = no
verify_depth = 4

# Default client profile
[client:default]
method = TLSv1.2+
ca_list = /etc/kamailio/ssl/ca.pem
cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
verify_certificate = yes
verify_depth = 4
require_certificate = yes

Client Configuration#

SIP Phones#

Configure SIP phones and softphones to use TLS:

• Transport: TLS
• SIP Port: 5061
• Server: sips:kamailio.example.com:5061
• CA Certificate: Import the CA certificate if using self-signed or private CA certificates

Most modern SIP phones (Polycom, Yealink, Cisco) support TLS transport configuration in their web interface under SIP account settings.

SIP Trunks#

For outbound SIP trunk connections over TLS, configure the trunk peer in your routing logic to use TLS and the appropriate client profile:

# Route to TLS trunk
$du = "sip:sip.provider.example.com:5061;transport=tls";
t_relay();

The client TLS profile matching sip.provider.example.com in tls.cfg will be used automatically.

Security Notes#

The cipher suite and protocol configuration in this guide addresses the following known TLS vulnerabilities:

• POODLE (CVE-2014-3566, 2014): SSL 3.0 is disabled. TLS_FALLBACK_SCSV was added in OpenSSL 1.0.1j / 1.0.2 (October 2014); SSL 3.0 disabled by default in OpenSSL 1.1.0 (August 2016).
• BEAST (CVE-2011-3389, 2011): Mitigated by recommending TLS 1.2 as the minimum; AEAD-only ciphers eliminate the CBC padding oracle.
• CRIME (CVE-2012-4929, 2012): TLS compression is off by default in OpenSSL 1.1.0+; do not enable it.
• Lucky13 (2013): AEAD-only cipher list eliminates CBC padding timing side-channels entirely.
• FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers are excluded. Removed from OpenSSL 1.1.0 (August 2016).
• LOGJAM (CVE-2015-4000, 2015): Short-key DHE is excluded; only ECDHE key exchange is recommended.
• Sweet32 (CVE-2016-2183, 2016): 3DES is excluded from the cipher string. Disabled by default in OpenSSL 3.0 (September 2021).
• ROBOT (CVE-2017-13099, 2017): Static RSA key exchange is excluded; only ECDHE is recommended. Fixed in OpenSSL 1.0.2m / 1.0.1v (November 2017).
• Downgrade attacks: TLS_FALLBACK_SCSV prevents protocol version rollback.

The following are not addressable through TLS configuration alone:

• Heartbleed (CVE-2014-0160, 2014): A memory disclosure bug in OpenSSL 1.0.1 through 1.0.1f. Fixed in OpenSSL 1.0.1g (April 7, 2014). Addressed by patching OpenSSL, not by TLS configuration.
• BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; SIP/TLS signaling does not involve HTTP response compression.
• DROWN (CVE-2016-0800, 2016): Requires SSLv2 to be enabled on any server sharing the same private key. Ensure SSLv2 is disabled on all services that use the same certificate and key pair.

Verification#

Check that the TLS listener is active using kamcmd:

kamcmd tls.info
kamcmd core.sockets_list

Test the TLS connection with openssl:

openssl s_client -connect kamailio.example.com:5061

Test with sipsak over TLS:

sipsak -s sip:test@kamailio.example.com:5061 --tls

Check the Kamailio logs for TLS handshake information:

grep -i tls /var/log/kamailio/kamailio.log