Securing Voice over IP (VoIP) is a crucial requirement for its successful adoption. A key component of this is securing the signaling path, which is performed by the Session Initiation Protocol (SIP). Securing SIP can be accomplished by using Transport Layer Security (TLS) instead of UDP as the transport protocol. However, using TLS for SIP is not yet widespread, perhaps due to concerns about the performance overhead. This paper studies the performance impact of using TLS as a transport protocol for SIP servers. We evaluate the cost of TLS experimentally using a testbed with OpenSIPS, OpenSSL, and Linux running on an Intel-based server. We analyze TLS costs using application, library, and kernel profiling and use the profiles to illustrate when and how different costs are incurred. We show that using TLS can reduce performance by up to a factor of 17 compared to the typical case of SIP-over-UDP. The primary factor in determining performance is whether and how TLS connection establishment is performed due to the heavy costs of RSA operations used for session negotiation. This depends both on how the SIP proxy is deployed and what TLS operation modes are used. The cost of symmetric key operations such as AES, in contrast, tends to be small. Network operators deploying SIP-over-TLS should attempt to maximize the persistence of secure connections and will need to assess the server resources required. To aid them, we provide a measurement-driven cost model for use in provisioning SIP servers using TLS. Our cost model predicts performance within 15% on average.