Two VOIP Contractors and I have been wrestling unsuccessfully for several weeks trying to get E2EE Calls working between extensions on our PBX (FreePBX 16).
Our VOIP Softphone clients (Zoiper5 Desktop) on either end of successful calls indicate an encrypted connection but it turns out each client has only an encrypted connection to the PBX …NOT to the other client.
So instead of a true E2EE connection between our VOIP clients FreePBX is making itself a MITM encryption transcoder. Not good.
We’ve confirmed this by noting that when call recording is turned on we’re able to obtain and listen to a recording of what end-users would naively assume was a secured E2EE call.
Any suggestions or links to sources that would help us understand and resolve this issue would be most welcome.
Enabling direct media between the endpoints should take the PBX out of the path. And naturally you would have to disable features like call recording so that FreePBX doesn’t keep itself in the call path for the sake of that feature.
If any side is using SRTP, then direct media is not supported. Media always flows through Asterisk in that case unencrypted. Noone has spent time writing code to try to do otherwise.
SRTP is never going to be end to end at the application layer, because the key exchange is done in the signalling, and signalling needs to be in the clear, within the PBX, for it to be routed. Even if the media is not decrypted, everything needed to decrypt is available at the PABX.
I believe ZRTP does key exchanges in the media, but I don’t think it has ever been implemented for Asterisk.
Also remember that, if you actually want to avoid man in the middle, you must have secure end to end authentication, as well.
If you do have end to end media encryption, you will find it difficult to use feature codes.
Sorry about giving misleading information here. Thanks @jcolp for clarifying. I don’t see how any PBX would be able to support E2EE. Perhaps a SIP proxy service, but as @david55 noted, the signaling will still be readable at the SIP proxy, revealing your key exchange.
Direct signaling and media exchange between SIP endpoints is the only way I can think of to accomplish E2EE.