TLS support for Flowroute SIP Signaling

Posted on September 11, 2018 by Andrea Mocherman

TLS support for Flowroute SIP Signaling

Transport Layer Security (TLS) is used to encrypt the SIP signal. With Flowroute’s support of TLS, communications from your system(s) to our edge proxies can be encrypted. TLS is an evolution of an earlier protocol called Secure Socket Layer (SSL), which was developed a number of years ago and used to encrypt data that was sent between a Web browser and a web server. You knew that you were using SSL when the address line of your browser contained “https” and not “http.” 

At first, TLS and SSL weren’t all that different from one another, however, TLS has continued to evolve into a highly secure transport protocol for both web and real-time protocols such as SIP.

What are the Benefits of TLS?

There are three key benefits of configuring and using Flowroute’s TLS support for SIP.

1.Authentication: Certificates are used to exchange information that validates the two parties.

TLS authentication uses TLS certificates in X.509 format to tell the receiving party who the sending party is (in the Subject or Subject Alternate Name field), and includes the public key. The certificate must be issued and signed by a Certificate Authority (CA) that both parties trust, and therefore the information in the certificate can also be trusted. The certificates themselves are stored in a key store that the sender application can access.

2. Confidentiality: Encryption is used to keep the contents of the transmission private.

To ensure confidentiality, TLS uses a session key that is used by both parties to encrypt and decrypt messages and data. The session key is used for one session only, and then discarded, so it cannot be used in later sessions to “listen in”. For confidentiality, TLS uses symmetric encryption, which is faster than other encryption methods.

3. Integrity: Verifies that the data was not manipulated in transit.

To assure data integrity, TLS uses the HMAC algorithm, a keyed-hash message authentication code. The hashing algorithm in the agreed-upon cipher suite generates a checksum for the message contents and stores it in the message. If the checksum generated at the receiver’s end does not match that checksum in the message, the message has been manipulated during transit, most likely as the victim of a Man-in-the-middle attack.

Flowroute and TLS

It should be noted that TLS will allow for signaling encryption from your system to Flowroute, however, SIP signaling from Flowroute to the carrier and through the PSTN cannot be encrypted. Below you will find information about how to set up TLS for your inbound and outbound traffic.

Outbound traffic: If your PBX/switch is compliant with RFC 3263 you can benefit from our edge strategy by implementing DNS NAPTR/SRV. This will automatically provide load balancing with failover to our TLS enabled edge proxies.

Selection of the transport can vary between equipment, but they should support both “sips:” or “transport=tls;”

Inbound traffic: You can set TLS transport on your inbound routes with Flowroute’s edge strategy by using our API or through the Manage portal. In addition, you must provide a certificate signed by a trusted certificate authority to enable.

NOTE: To use TLS you must configure your Flowroute accounts on the new PoPs.

If you have questions about how to get TLS set up on your Flowroute account, please submit a ticket here or email