All Sinch Elastic SIP Trunks support TLS and SRTP natively. For more information on TLS/SRTP encryption and the benefits of using it, please read more here.
To make encrypted calls with TLS simply send calls to your SIP Trunk FQDN on port 5061. This port can only be used for TLS, and non-TLS calls will fail. SRTP must be used when making a TLS call.
To ensure we send calls to your infrastructure using TLS go into your SIP Endpoint on your SIP Trunk and change the transport protocol to “TLS”. Note, that the port on your SIP endpoint will update automatically to port 5061. In the event your infrastructure is listening for TLS connections on a non-standard port simply change the port manually to the correct value.
Congratulations, your Sinch Elastic SIP Trunk is now configured to use encryption! It’s that easy.
Let's Encrypt Certificates
Sinch Elastic SIP Trunking uses TLS certificates secured by Let’s Encrypt. If your TLS SIP Infrastructure does not already trust certificates from this Certificate Authority you can download the Let’s Encrypt Root Certificate and associate Intermediate certificates here: https://letsencrypt.org/certificates/
Cypher Suite Support
Sinch trusts all well-known Certificate Authorities. This ensures we will not have any trust issues when your infrastructure presents its certificate on inbound calls.
For negotiation Sinch supports the following Cypher Suites for both TLS and SRTP.
TLSv1.2
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_256_CCM
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_128_CCM
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
