Bandwidth’s TLS/SRTP


Michael Walczak


What is TLS/SRTP?

Transport Layer Security (TLS) is a security protocol designed to facilitate privacy and data security for communications over the Internet. It’s primary purpose is to encrypt communication between web applications and servers, but it’s also widely used to encrypt Voice over IP (VoIP). 

Secure Real-Time Transport Protocol (SRTP) is an extension of a Real-Time Transport Protocol (RTP). It’s mainly intended to be used in VoIP communications to encrypt the media stream and minimize the risk of the Denial of Service (DoS) attacks. 

Both TLS and SRTP are used to encrypt calls between you and Bandwidth. However, please note that this doesn’t apply to calls sent to or from the PSTN.

Note: If you’re looking for another security option, please see Bandwidth’s Direct Link Service!


TLS/SRTP specifications

Supported TLS version  1.2
Key pair type  RSA (ECC certificates are not supported)
Supported cipher suites
  • RSA-WITH-AES-128-CBC-SHA (default)
  • RSA-WITH-AES-128-CBC-SHA-256
  • RSA-WITH-AES-256-CBC-SHA-256

TLS/SRTP feature options

TLS/SRTP can be used for both inbound and outbound voice services, including:

  • Origination
  • Toll-free
  • Termination
  • International

TLS/SRTP parameters

TLS/SRTP comes with the following parameters: 

  • TLS/SRTP is not available for 911.
  • TLS/SRTP is configured at the account level.

Certificate definitions and requirements

Certificate authorities

A Certificate Authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the owner of that certificate. This allows others to rely on signatures or assertions made about the private key that corresponds to the certified public key. A CA acts as a third party trusted both by the owner of the certificate and by the party relying on that certificate.

Wildcard certificates

A wildcard certificate is a public key certificate that applies to any Fully Qualified Domain Name (FQDN) under that subdomain. 

For example, is a sub-domain of If your wildcard certificate,, is installed on the Private Branch Exchange (PBX) that has an FQDN as, it’s acceptable. 

However, if the same certificate is installed on the PBX that has an FQDN as, our Session Border Controller (SBC) will refuse the connection during the TLS negotiation phase. 

Accepted certificate authorities 

Bandwidth currently accepts the following CAs:

  • DigiCert
  • GoDaddy
  • Let's Encrypt
  • IdenTrust
  • Comodo
  • GlobalSign

TLS/SRTP requirements

  • You must demonstrate the need for TLS/SRTP and be able to configure and manage it within your systems.
  • You must have a valid certificate installed on your equipment. You may use a wildcard certificate as long as it’s valid and applies to the FQDN of the equipment.
  • As a customer, you're responsible for managing the certificate (self-signed certificates are not permitted).
  • Your equipment must use the Bandwidth zone FQDN provided to look up service (SRV) records. Please use the IP address and port obtained by the lookup to connect to the Bandwidth equipment. 
  • For origination, you’ll need to provide the FQDN of the endpoint. The SBC will use your A record to establish a connection to your endpoint. 

Note: Bandwidth doesn’t provide consulting or configuration services for customers' systems.

How do I enable TLS/SRTP?

To enable this feature, please contact your Account Manager. You’ll then be asked to complete a TLS/SRTP technical questionnaire and requirements document.

Not sure who your Account Manager is? Please reach out to your Bandwidth Support Team or hit us up at (855) 864-7776!

Article is closed for comments.