ZRTP is only the secure key exchange for SRTP.
In PhonerLite the options have the following meaning:

• SRTP: negotiation of crypto keys for SRTP is done in SDP.
• ZRTP: negotiation of crypto keys is done by ZRTP protocol

Both options are independent in PhonerLite. If no keys are exchanged no encryption is done. If both parties use crypto key exchange in SDP, that keys are used. After call establishment a new ZRTP negotiation can be initiated. That may lead to new keys - no problem in PhonerLite. If you have a server between the both parties, that server is not involved in ZRTP negotiation. So that server doesn't know anything about new keys for encryption. If any server based media is inserted (like Music On Hold) the encryption won't fit, because the server only knows the "old" keys exchanged prior in SDP.
If you are using a SIP server (proxy) that only "routes" the calls and no further logic is involved, both endpoints can use SRTP and TLS at the same time.

Basically if phonerlite sees abc1.ca.pem and abc2.ca.pem (and TLS enabled) in its directory, then it will accept any server certificate that is signed by abc1.ca.pem and also any server certificate signed by abc2.ca.pem also. If the server CN and the server IP or domain name don't match, it should still work (because the server certificate is signed by the root abc1.ca.pem (or abc2.ca.pem)). 

Same applies for peer to peer (IP to IP mode) ?

Please clarify this.

I installed freeswitch with ZRTP support. Then i installed the phoner software, checked the zrtp box, entered the login data, found that the zrtp box has been automatically unchecked and then it says regisrted as sip. Any suggestion how to test the call encryption?

thank you

I am missing some guide how to use secure call encryption.

Can you give please short instructions how to ensure secure phone calls? That's what we do right now...

- install Phoner(Lite) (portable)
- standard settings plus additionally the following...
- Under preferred network type
-- choose TLS
-- choose connection type is fixed
- Under codec
-- choose SRTP
-- choose SAVP
-- choose ZRTP
- make direct IP to IP calls
- after the call started, check if TLS and ZRTP are green
- go with mouse over ZRTP and read code
- compare code with partner by speaking it
- that's all

Is it secure this way?

Do we need to compare the code every time we call again?

Ok great.

The current handling is a little uncomfortable. I have some suggestions.

What about a colour changing tray symbol? For example red for standby (has always been this way), yellow is unencrypted call and green is encrypted call.

Additionally a tool tip in the right corner "compare H61R with partner" shown as long until clicked the tooltip away.

Okay...

About ZRTP, I read this here http://www.trustmyphone.com/en/cryptmycall.html Quote:


Does Phoner do the same?

If so, why do we have to compare the string again every time anyway?

What if there is an MITM from the frist call, is ZRTP still secure because of the string comparison? It's like a hash comparison?

And something else...
http://de.wikipedia.org/wiki/Zfone
Quote:

Ok, it's from wikipedia. Maybe it is completely wrong.

What about this PSK? Is it an addition to the ZRTP protocol, optional to implement?

Somewhere else I've read about 'ZRTP Preshared Key Mode'.

Our company is going to use PL exceptionaly for secure calls.
We made VPN connection between our main offices and inside this network we would use PL. So the plan is following:
vpn secure -> voice encryption, should generate much traffic but looks very secure. In case any one breach the VPN they can do nothing with voice encryption.
But we encountered few problems:

I want connect PL directly IP to IP so I does not enter any server info, and PL assigns adress smth like this Phonerlite@123.123.123.123. Do the same on enother comuter and now I can call him (btw this works only in local network, dunno why).

Then I make the same steps for secure calls as listed above. But icon with key "tls" is white and tells that sertificate is not valid fot this domain. The call is Ok, the compared ZRTP key is also OK.
The second question is does this work only in local network? How can I connect IP to IP without local network?