SSL/TLS Security

Estimated reading time: 4 minutes

The IPCortex PBX and Hosted platforms incorporate a number of features to allow for secure communication. We utilise TLS (previously known as SSL) to provide both connection authenticity and privacy.

HTTPS

HTTPS is an industry standard protocol for providing secure web access. It provides the cleartext HTTP protocol over a secure TLS connection between the platform and clients.

By default both unencrypted HTTP and encrypted HTTPS are available. It is possible to enforce usage of HTTPS connections to the PBX web interface, using the Force HTTPS web access global setting. In addition, we support HTTPS Strict Transport Security (HSTS) where browser-enforced HTTPS usage is required; it is configurable as a separate global setting.

TLSv1.0, TLSv1.1, and TLSv1.2 are supported by default. It is possible to disable TLSv1.0 and TLSv1.1 through the use of the intermediate cipher suite level. SSLv3 and earlier are not supported.

Cipher suite levels

Cipher suites form a critical part of the TLS (and by extension HTTPS) protocol by specifying what algorithms are supported for key exchange, bulk encryption, and message authentication code. For HTTPS we have two cipher suite levels - intermediate and old (the default). Intermediate disables many older cipher suites, which while providing better security is incompatible with some older browsers and handsets. We recommend enabling intermediate where possible.

This setting affects all browsers accessing the web interface as well as all phones using secure provisioning.

The cipher suite levels are based on the industry-recognised Mozilla Server Side TLS version 5.0 recommendations.

Provisioning

Phone/handset provisioning occurs over HTTP by default, and this can be changed to HTTPS instead. (Also known as “secure provisioning”.) Doing this allows phone provisioning to benefit from the same HTTPS features previously mentioned, with the addition of mutual TLS certificate authentication. The phone, on contacting the platform, will be request to provide a manufacturer provided client certificate. We use this to verify we are talking to a real handset - and only that particular handset. This makes it suitable for remote provisioning of phone from untrusted locations.

TLS-SIP/SRTP

IPCortex systems have the ability encrypt voice traffic. Except for Hosted platforms (where it is always enabled) additional steps are required to enable this.

SIP traffic is unencrypted by default, and can be switched to TLS-SIP (also known as SIP-over-TLS or SSIP) in a similar fashion to HTTPS. This can be enabled using the TLS/SRTP encryption on… settings for each supported handset manufacturer. When enabled this protects the call signalling traffic from interception or modification.

As the name implies, when enabling the TLS/SRTP encryption on… settings SRTP is also enabled. This protects the actual voice traffic from being intercepted or modified.

Cipher suites are also used for TLS-SIP and SRTP, and use suites similar to (but not the same as) the old level used for HTTPS. Currently this is not configurable due to compatibility issues.

Relevant SIP communication (especially INVITE and REGISTER messages) are authenticated using digest authentication, for both unencrypted SIP and TLS-SIP.

Certificates

Proper usage of HTTPS and TLS-SIP requires a valid certificate. This needs to be trusted by all potential clients (including web browsers and phones) and so we recommend the usage of a publicly trusted certificate authority.

Free Let’s Encrypt certificates are supported from version 6.4 onwards. These will be automatically renewed allowing continuous operation without administrator action. More information on Let’s Encrypt is available in our setup document.

Keevio

Keevio operates over HTTPS and benefits from the same features, along with SRTP for the audio.

Hosted

On the Hosted platform, for the security of all customers encryption settings are enforced automatically and cannot be disabled.