Bandwidth’s TLS/SRTP


David Simmons


What is TLS/SRTP?

Transport Layer Security (TLS) is a security protocol designed to facilitate privacy and data security for communications over the Internet. Its primary purpose is to encrypt communication between web applications and servers, but it’s also widely used to encrypt the signaling portion of a SIP voice call.

Secure Real-Time Transport Protocol (SRTP) is an extension of Real-Time Transport Protocol (RTP). It’s mainly intended to be used in VoIP communications to encrypt the media stream and minimize the risk of Denial of Service (DoS) attacks. 

Both TLS and SRTP are used to encrypt calls between you and Bandwidth. However, please note that this doesn’t apply to calls sent to or from the PSTN.

Note: If you’re looking for another security option, check out Bandwidth’s Direct Link Service.

TLS/SRTP specifications

Supported TLS version  1.2
TLS key pair type  RSA (ECC certificates are not supported)
Supported TLS cipher suites

RSA_WITH_AES_128_CBC_SHA (default)


Supported SRTP cipher suites AES_CM_128_HMAC_SHA1_80

TLS/SRTP feature options

TLS/SRTP can be used for both inbound and outbound voice services, including:

  • Inbound
  • Outbound
  • Toll-Free
  • International

TLS/SRTP parameters

TLS/SRTP comes with the following parameters: 

  • TLS/SRTP is not yet available for 911
  • TLS/SRTP is configured at the account level

Certificate definitions and requirements

Certificate authorities

A Certificate Authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the owner of that certificate. This allows others to rely on signatures or assertions made about the private key that corresponds to the certified public key. A CA acts as a third party trusted both by the owner of the certificate and by the party relying on that certificate.

Wildcard certificates

A wildcard certificate is a public key certificate that applies to any Fully Qualified Domain Name (FQDN) under that subdomain. 

For example, is a sub-domain of If your wildcard certificate,, is installed on the Private Branch Exchange (PBX) that has an FQDN as, it’s acceptable. 

However, if the same certificate is installed on the PBX that has an FQDN as, our Session Border Controller (SBC) will refuse the connection during the TLS negotiation phase. 

TLS/SRTP requirements

  • You must have a valid certificate installed on your equipment. You may use a wildcard certificate as long as it’s valid and applies to the FQDN of the equipment.
  • As a customer, you're responsible for managing the certificate (self-signed certificates are not permitted).
  • Your equipment must use the Bandwidth zone FQDN provided to look up service (SRV) records. Please use the IP address and port obtained by the lookup to connect to the Bandwidth equipment. 
  • For origination, you’ll need to provide the FQDN of the endpoint. The SBC will use your A record to establish a connection to your endpoint. 

Note: Bandwidth doesn’t provide consulting or configuration services for customers' systems.

How do I enable TLS/SRTP?

To enable this feature, please contact your Account Manager. Once you’re ready to move forward, please complete the Bandwidth TLS/SRTP questionnaire so we can ensure compatibility. 

Not sure who your Account Manager is? Please reach out to your Bandwidth Support Team or hit us up at (855) 864-7776!

Article is closed for comments.