I am currently hardening the SIP trunks for a high-security client in the financial sector. We want to implement TLS 1.3 for our BYOC Cloud trunks to ensure the highest level of encryption for our voice traffic. I see that Genesys Cloud supports TLS for SIP, but I am not sure if TLS 1.3 is available for all regions. Has anyone successfully configured a BYOC Cloud trunk with TLS 1.3, and are there any specific cipher suites that we should prioritize?
Hello Lar18. I am a ServiceNow developer and I have seen these security requirements in our enterprise clients. Genesys Cloud does support TLS 1.3 for SIP trunks, but it depends on the capabilities of your carrier’s SBC. You should use a ‘Certificate-Based’ authentication for your trunk to ensure maximum security. In the trunk configuration, you can specify the minimum TLS version. I recommend setting it to 1.3 and then testing the connection with your carrier to ensure they are not falling back to 1.2 due to a configuration mismatch.
Greetings! I am a change management specialist and I want to remind you that when you upgrade your SIP security to TLS 1.3, you must also ensure that your network team has updated their firewall rules to allow the ‘Secure SIP’ port (usually 5061). If you forget this, your trunks will go out of service immediately after you enable the encryption! I have seen this happen during several rollouts and it always causes a panic. Please double-check your firewall logs before you make the switch!