diff --git a/conf/dialplan/default.xml b/conf/dialplan/default.xml
index eefbfb6e35..a46fca140e 100644
--- a/conf/dialplan/default.xml
+++ b/conf/dialplan/default.xml
@@ -52,7 +52,7 @@
       <condition field="${call_debug}" expression="^true$" break="never">
 	<action application="info"/>
       </condition>
-      <condition field="${sip_has_crypto}" expression="^AES_CM_128_HMAC_SHA1_32$" break="never">
+      <condition field="${sip_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
 	<action application="set" data="sip_secure_media=true"/>
       </condition>
       <condition>
@@ -236,6 +236,13 @@
       </condition>
     </extension>
 
+    <extension name="echo">
+      <condition field="destination_number" expression="^9996$">
+	<action application="answer"/>
+	<action application="echo"/>
+      </condition>
+    </extension>
+
     <extension name="milliwatt">
       <condition field="destination_number" expression="^9997$">
 	<action application="answer"/>
@@ -251,7 +258,7 @@
     </extension>
 
     <extension name="hold_music">
-      <condition field="${sip_has_crypto}" expression="^AES_CM_128_HMAC_SHA1_32$" break="never">
+      <condition field="${sip_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
 	<action application="answer"/>
 	<action application="execute_extension" data="is_secure XML default"/>
       </condition>
diff --git a/conf/sip_profiles/default.xml b/conf/sip_profiles/default.xml
index cd2cc6ad6c..2892b44552 100644
--- a/conf/sip_profiles/default.xml
+++ b/conf/sip_profiles/default.xml
@@ -46,7 +46,7 @@
     <!--<param name="bind-params" value="transport=udp"/>-->
 
     <!-- TLS: disabled by default, set to "true" to enable -->
-    <param name="tls" value="false"/>
+    <param name="tls" value="true"/>
     <!-- additional bind parameters for TLS -->
     <param name="tls-bind-params" value="transport=tls"/>
     <!-- Port to listen on for TLS requests. (5061 will be used if unspecified) -->
@@ -54,7 +54,7 @@
     <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
     <param name="tls-cert-dir" value="$${base_dir}/conf/ssl"/>
     <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
-    <param name="tls-version" value="sslv23"/>
+    <param name="tls-version" value="tlsv1"/>
     
     <!--If you don't want to pass through timestampes from 1 RTP call to another (on a per call basis with rtp_rewrite_timestamps chanvar)-->
     <!--<param name="rtp-rewrite-timestamps" value="true"/>-->
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 69c5d1c87b..fcfe7d163c 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -345,6 +345,7 @@ struct private_object {
 	char *gateway_name;
 	char *local_crypto_key;
 	char *remote_crypto_key;
+	int crypto_tag;
 	unsigned char local_raw_key[SWITCH_RTP_MAX_CRYPTO_LEN];
 	unsigned char remote_raw_key[SWITCH_RTP_MAX_CRYPTO_LEN];
 	switch_rtp_crypto_key_type_t crypto_send_type;
diff --git a/src/mod/endpoints/mod_sofia/sofia_glue.c b/src/mod/endpoints/mod_sofia/sofia_glue.c
index 637f832bb9..a8af860e3c 100644
--- a/src/mod/endpoints/mod_sofia/sofia_glue.c
+++ b/src/mod/endpoints/mod_sofia/sofia_glue.c
@@ -1352,7 +1352,8 @@ switch_status_t sofia_glue_activate_rtp(private_object_t *tech_pvt, switch_rtp_f
 		if (tech_pvt->remote_crypto_key && switch_test_flag(tech_pvt, TFLAG_SECURE)) {
 			sofia_glue_add_crypto(tech_pvt, tech_pvt->remote_crypto_key, SWITCH_RTP_CRYPTO_RECV);
 			switch_rtp_add_crypto_key(tech_pvt->rtp_session, SWITCH_RTP_CRYPTO_SEND, 1, tech_pvt->crypto_type, tech_pvt->local_raw_key, SWITCH_RTP_KEY_LEN);
-			switch_rtp_add_crypto_key(tech_pvt->rtp_session, SWITCH_RTP_CRYPTO_RECV, 1, tech_pvt->crypto_type, tech_pvt->remote_raw_key, SWITCH_RTP_KEY_LEN);
+			switch_rtp_add_crypto_key(tech_pvt->rtp_session, SWITCH_RTP_CRYPTO_RECV, tech_pvt->crypto_tag, 
+									  tech_pvt->crypto_type, tech_pvt->remote_raw_key, SWITCH_RTP_KEY_LEN);
 			switch_channel_set_variable(tech_pvt->channel, SOFIA_SECURE_MEDIA_CONFIRMED_VARIABLE, "true");
 		}
 
@@ -1547,11 +1548,23 @@ uint8_t sofia_glue_negotiate_sdp(switch_core_session_t *session, sdp_session_t *
 					ptime = atoi(a->a_value);
 				} else if (!strcasecmp(a->a_name, "crypto") && a->a_value) {
 					crypto = a->a_value;
+					int crypto_tag = atoi(crypto);
+					
 					if (tech_pvt->remote_crypto_key) {
-						switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Already have a key\n");
+						if (crypto_tag && crypto_tag == tech_pvt->crypto_tag) {
+							switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Existing key is still valid.\n");
+						} else {
+							switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Change Remote key to [%s]\n", crypto);
+							tech_pvt->remote_crypto_key = switch_core_session_strdup(tech_pvt->session, crypto);
+							tech_pvt->crypto_tag = crypto_tag;
+							sofia_glue_add_crypto(tech_pvt, tech_pvt->remote_crypto_key, SWITCH_RTP_CRYPTO_RECV);
+							switch_rtp_add_crypto_key(tech_pvt->rtp_session, SWITCH_RTP_CRYPTO_RECV, tech_pvt->crypto_tag, 
+													  tech_pvt->crypto_type, tech_pvt->remote_raw_key, SWITCH_RTP_KEY_LEN);
+						}
 					} else {
 						tech_pvt->remote_crypto_key = switch_core_session_strdup(tech_pvt->session, crypto);
 						switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Set Remote Key [%s]\n", tech_pvt->remote_crypto_key);
+						tech_pvt->crypto_tag = crypto_tag;
 
 						if (switch_strlen_zero(tech_pvt->local_crypto_key)) {
 							if (switch_stristr(SWITCH_RTP_CRYPTO_KEY_32, crypto)) {