One of our customers recently asked us about Voice Encryption. We thought our response might be useful to others as well:
In order for TLS to work, it is not just ‘click and it works’.
You need private and public certificates. For phone to accept the certificate, it should come from a valid Certificate Authority already pre-installed on the phone. Not many Certificate Authorities are installed by default into phones, each phone documentation needs to be checked on the list.
Most phones allow custom installation by the Certificate Authority, but this requires special setup (some allow this via auto provisioning).
Once you setup certificates, you can then enable TLS and this traffic will listen on port 5061. This is going to be TCP and not UDP. Then you enable SRTP which is for media, not signalling.
You can use SRTP without TLS, but that is pointless. If SIP is not encrypted, then RTP can be decoded since encryption keys are part of signalling and this flows unencrypted (so yes, in that case, a man-in-the-middle attacks are possible).
Man-in-the-middle attacks are also possible if phone accepts ANY certificate without validating it (similar to when you are browsing some secure web site…).