Tls
This guide covers how to decrypt encrypted SIP (TLS) and media (SRTP/DTLS-SRTP) traffic in VoIPmonitor.
Understanding TLS Decryption
VoIPmonitor can decrypt TLS-encrypted SIP signaling and SRTP media. The method you choose depends on your TLS configuration.
Cipher Suite Impact
| TLS Version / Cipher | Private Key Decryption | SSL Key Logger |
|---|---|---|
| TLS 1.2 with RSA (no DH) | ✓ Yes Works | ✓ Yes Works |
| TLS 1.2 with DHE/ECDHE | ✗ No Impossible | ✓ Yes Required |
| TLS 1.3 (any cipher) | ✗ No Impossible | ✓ Yes Required |
⚠️ Warning: Modern VoIP services use TLS 1.3 or PFS ciphers. The SSL Key Logger (Method 2) is the only viable method for most deployments.
To check your cipher suite, capture the TLS handshake in Wireshark and look for "DHE" or "ECDHE" in the cipher negotiation.
Method Overview
Quick Reference:
- Method 1 - Private Key: Simple, but only works for non-PFS ciphers
- Method 2 - SSL Key Logger: Universal, works for all ciphers (recommended)
- Method 3 - Distributed Mode: For client-server architecture with
packetbuffer_sender=yes - Method 4 - SBC/PBX Tunneling: Ribbon, AudioCodes, or other vendor solutions
- Method 5 - External Key Provider: Hosted platforms (NetSapiens, etc.)
- Method 6 - HEP Protocol: Alternative when SSL Key Logger isn't feasible
Cloud Service Limitations
| Scenario | Decryption Possible? |
|---|---|
| Hardware phone → Cloud (Teams, Webex) | ✗ No Not possible (no access to cloud keys) |
| Softphone on controlled host → Cloud | ✓ Yes Use SSL Key Logger on the host |
| Phone → Local SBC → Cloud | ✓ Yes Use SBC tunneling (Method 4) |
Method 1: Private Key Decryption
Works only for TLS 1.2 or older without Diffie-Hellman ciphers.
Configuration
# /etc/voipmonitor.conf
ssl = yes
ssl_ipport = 10.0.0.1:5061 /etc/pki/tls/private/server.key
Multiple servers:
ssl_ipport = 10.0.0.1:5061 /path/to/server1.key
ssl_ipport = 10.0.0.2:5061 /path/to/server2.key
GUI Configuration
Navigate to Settings > Sensors > wrench icon and search for ssl_:
ssl = yesssl_ipport = IP:PORT /path/to/key
Method 2: SSL Key Logger (Recommended)
Works for all cipher suites including PFS. Captures session keys from your PBX/SBC using LD_PRELOAD.
Step 1: Compile the Library
# Install prerequisites
apt-get install libssl-dev build-essential git # Debian/Ubuntu
yum install openssl-devel make gcc git # RHEL/CentOS
# Compile
cd /usr/local/src
git clone https://github.com/voipmonitor/sniffer.git voipmonitor-git
cd voipmonitor-git/tools/ssl_keylogger/
make
💡 Tip:
Step 2: Configure Your PBX
Asterisk
# Create environment file
cat > /etc/default/asterisk-ssl << 'EOF'
SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so'
EOF
# Add to service
systemctl edit asterisk.service
Add:
[Service]
EnvironmentFile=/etc/default/asterisk-ssl
Restart: systemctl daemon-reload && systemctl restart asterisk
FreeSWITCH
Edit /lib/systemd/system/freeswitch.service:
⚠️ Warning: Critical for DTLS+SRTP decryption: systemd must start the service as root so LD_PRELOAD can inject the keylogger before FreeSWITCH drops privileges. Set User=root in the service file and use -u/-g flags in ExecStart for FreeSWITCH to drop privileges internally.
[Service]
User=root
Group=root
ExecStart=env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so' /usr/bin/freeswitch -u freeswitch -g freeswitch -nonat
Then reload and restart:
systemctl daemon-reload
systemctl restart freeswitch
Kamailio
⚠️ Warning: Kamailio requires all three libraries in LD_PRELOAD to avoid crashes:
# Find library paths
find /usr/lib -name "libssl.so*" -o -name "libjson-c.so*"
Edit service file:
ExecStart=env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so:/usr/lib/x86_64-linux-gnu/libssl.so.3:/usr/lib/x86_64-linux-gnu/libjson-c.so.5' /usr/sbin/kamailio ...
Step 3: Configure VoIPmonitor
# /etc/voipmonitor.conf
ssl = yes
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234
# CRITICAL: No key file path when using SSL Key Logger!
ssl_ipport = 192.168.0.1:5061
# Include loopback if sending keys to 127.0.0.1
interface = eth0,lo
⚠️ Warning: WRONG: ssl_ipport = IP:PORT /path/to/key — This forces Method 1 and ignores the key logger!
CORRECT: ssl_ipport = IP:PORT — No key file path.
Secure Key Transport (TCP Mode)
For production environments, use TCP instead of UDP:
# Recompile with TCP support
cd /usr/local/src/voipmonitor-git/tools/ssl_keylogger/
make clean && make with_tcp
On PBX: Change SSLKEYLOG_UDP to SSLKEYLOG_TCP
On VoIPmonitor:
ssl_sessionkey_udp = no
ssl_sessionkey_bind = 0.0.0.0
ssl_sessionkey_bind_port = 1234
Method 3: Distributed Mode
When using packetbuffer_sender=yes, session keys must go to the central server.
On PBX:
# Send keys to CENTRAL SERVER, not localhost!
SSLKEYLOG_UDP='192.168.1.100:1234' # Central server IP
On Central Server:
ssl = yes
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234
ssl_ipport = 192.168.1.50:5061 # PBX IP (no key file)
Method 4: SBC/PBX Tunneling
Some SBCs decrypt internally and forward unencrypted traffic via tunneling protocols.
| Vendor | Protocol | Documentation |
|---|---|---|
| Ribbon/Oracle | Monitoring Profile | Ribbon7k_monitoring_profiles |
| AudioCodes | Proprietary tunnel | Audiocodes_tunneling |
| Generic | IPinIP | Auto-decoded by VoIPmonitor |
ℹ️ Note: When using vendor tunneling, no SSL configuration is needed in VoIPmonitor—traffic arrives unencrypted.
Method 5: External Key Providers
Some hosted platforms (e.g., NetSapiens) can export TLS session keys to VoIPmonitor. Configure VoIPmonitor to receive keys via UDP/TCP as in Method 2.
Method 6: HEP Protocol
Alternative when SSL Key Logger doesn't work. The SIP proxy decrypts traffic and sends it via HEP.
# /etc/voipmonitor.conf
receiver_mode = yes
hep = yes
hep_bind_ip = 0.0.0.0
hep_bind_port = 9060
ℹ️ Note: HEP is just transport. Your SIP proxy must decrypt TLS before encapsulating in HEP. See HEP documentation.
SRTP/DTLS Decryption
Recommended Configuration
# Enables best-practice DTLS settings
ssl_dtls_boost = yes
RTP Proxy Issues (rtpengine)
If SRTP decryption fails with SDES keys visible in SDP, your RTP proxy may be stripping keys.
Fix for rtpengine (Kamailio):
rtpengine_manage("replace-origin DTLS=no SDES-nonew SDES-pad");
Garbled Audio
Garbled/distorted audio usually means SRTP is encrypted but not decrypted—not a codec issue.
Solution: Configure SSL Key Logger as described in Method 2, then verify keys are being received:
tcpdump -i any -n port 1234 # Check for UDP key packets
Troubleshooting
Decryption Not Working
Step 1: Verify packets are captured
- Check
sip:history (+)in CDR detail - Packets visible but encrypted → decryption issue
- Packets missing → capture issue (check interface config)
Step 2: Check configuration
| Issue | Solution |
|---|---|
| Keys sent to localhost but not captured | Add lo to interface: interface = eth0,lo
|
| TCP/TLS packets not captured | Remove/fix BPF filter: filter = udp or tcp or (vlan and (udp or tcp))
|
ssl_ipport has key file path |
Remove key path when using SSL Key Logger |
packetbuffer_sender=yes fails |
Send keys to central server IP, not localhost |
| FreeSWITCH not capturing DTLS+SRTP keys | Set User=root in systemd service file, use -u/-g flags in ExecStart
|
Compilation/Startup Issues
| Error | Platform | Solution |
|---|---|---|
undefined symbol: dlsym |
RHEL/CentOS/VitalPBX | Recompile: g++ -shared -o sslkeylog.so sslkeylog.o -ldl (library flags after objects)
|
| FreeSWITCH stuck in "activating" | Any | Recompile without TCP: make clean && make; set DEBUG 0 and WRITE_THREAD 0
|
Kamailio receive_fd(): EOF |
Debian 12 | Add libjson-c.so to LD_PRELOAD (see Kamailio section) |
| Environment variables not loaded | Any | Use asterisk -r then core stop now instead of systemctl restart
|
High Traffic Issues
Symptom: Packet drops, TLS calls not decrypted under load
Solution 1: Increase wait time:
ssl_sessionkey_maxwait_ms = 5000
Solution 2: Switch to TCP mode (see "Secure Key Transport" above)
Capture for Support
# Capture TLS traffic + keylogger packets
tcpdump -i eth0,lo -w /tmp/debug.pcap \
"((host PBX_IP and port 5061) or (port 1234))"
Provide to support:
- CDR ID
voipmonitor --version- Config snippet (ssl*, interface, packetbuffer_sender)
- The PCAP file
See Also
- Audiocodes_tunneling - AudioCodes SBC tunneling
- Ribbon7k_monitoring_profiles - Ribbon/Oracle SBC monitoring
- WebRTC - WebRTC/WSS decryption
- Sniffer_configuration - Full configuration reference
- Sniffer_distributed_architecture - Client-server architecture
AI Summary for RAG
Summary: Guide to decrypting TLS-encrypted SIP and SRTP media in VoIPmonitor. Six methods: (1) Private Key - only for TLS 1.2 without DHE/ECDHE, configure ssl_ipport=IP:PORT /path/to/key; (2) SSL Key Logger (recommended) - universal for all ciphers, inject sslkeylog.so via LD_PRELOAD into Asterisk/Kamailio/FreeSWITCH, keys sent via UDP or TCP; (3) Distributed Mode - with packetbuffer_sender=yes, send keys to central server IP not localhost; (4) SBC Tunneling - Ribbon/AudioCodes decrypt internally; (5) External Key Providers - hosted platforms export keys; (6) HEP - SIP proxy decrypts then sends via HEP. Critical: when using SSL Key Logger, ssl_ipport must NOT include key file path. For localhost keys, add lo to interface. Kamailio requires three libraries in LD_PRELOAD. FreeSWITCH requires User=root in systemd service file with -u/-g flags in ExecStart for DTLS+SRTP decryption to work. High traffic: use TCP mode or increase ssl_sessionkey_maxwait_ms. Garbled audio = SRTP encryption not codec issue.
Keywords: tls, ssl, srtp, dtls, decryption, sslkeylog, ld_preload, session key, asterisk, kamailio, freeswitch, ssl_ipport, ssl_sessionkey_udp, packetbuffer_sender, distributed mode, ribbon sbc, audiocodes, hep, rtpengine, pfs, perfect forward secrecy, garbled audio, dlsym error