VoIP: SIP-over-TLS and sRTP: Auerswald

Auerswald was strong in ISDN and moves to SIP step by step. Because Auerswald still offers older series, ISDN phones, and failed to create a nomenclature to differentiate their products, you have to rely on their Webpage: Overview. The former COMfortel 1200 IP was from Escene. For that model, Auerswald rejected all my security vulnerabilities because that model is End-of-Support. The COMfortel C-400 is from VTech. The COMfortel 3200 and 3500 were based on Android 2.3 (API 10). The COMfortel 1400 IP, 2600 IP, and 3600 IP were based on Android 4.4 (API 19). The current phones, released in April 2019, are based on Android 7.1 (API 25; kernel 4.9.29) and got a completely new interface for both Web and phone. For SDES-sRTP, you cannot use the the phone but have to use the Web interface, because the trust anchor must be configured.

Last tested firmware

1.0B-00000
retested in May 2020 with 1.2B-00003
In their Wiki, you find an XSD file which is the documentation for Administrators.
Public betas are available before release: German, English.

Configuration

Password:	admin/admin has to be changed after first use
HTTPS:	forced on default
Update:	Web → Firmware update on default, automatic updates are enabled
Trust Anchors:	Web → Identities → Options for experts → Certificate: Base64
SIP-URI User:	Web → Identities → SIP username
SIP-URI Host:	Web → Identities → SIP registrar
SIP-over-TLS:	Web → Identities → Options for experts → SIPS
SDES-sRTP:	Web → Identities → Options for experts → SRTP: Preferred which is RTP/SAVP + RTP/AVP

Software Bugs

SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
AES-256 sRTP:	accepted although not supported; therefore no audio
Named Curves:	just P-256, no P-384 This disables ECC based certificates if its public key is bigger than P-256.
DNS-NAPTR:	missing
Call Reject (UDUB):	sends status 603; found no way to send status 486
Signaling DiffServ:	SIP is not at `0xa0` but `0x00`
Audio DiffServ:	in IPv6, RTP is at `0x00`; in IPv4, RTP is at `0xb8`
IP Port Source:	not the actual port but another ephemeral port in the SIP headers `Via` and `Contact` (TCP and TLS affected; works with UDP) Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead
SIP NAT Traversal:	Web → Identities → NAT → SIP NAT Traversal: Active (which is rPort as UNSAF) or Active with STUN If one of those two options is selected, the SIP stack does not start at all when IPv6 connectivity is available. Mitigation A: Web → Identities → NAT → SIP NAT Traversal: Inactive; or Mitigation B: Web → Identities → Options for experts → IP version: not IPv6 or Auto but IPv4; or Mitigation C: Web → Network → IPv6 → Disabled (default)

Security

Privacy:	device phones home to Google (connectivity check) but fails on TLS because NTP not ready
Responsible Disclosure:	via E-mail
Firmware Update:	missing Automation, when IPv6-only missing Newsletter

Miscellaneous

Phone → Menu → Access → Web: Disable
time on display cannot be disabled
- Web → Date and time → Time zone: Europe/Amsterdam
  Might break in the future. Then, you have to update the time manually.
- Web → Date and time → Time format: 24h
Web → Start → Location: Germany

Model Range

COMfortel D-100 (tested)
COMfortel D-200
COMfortel D-400

Power Supply

PoE only

← back to the other phones.