VoIP: SIP-over-TLS and sRTP: Ayava

Your phone might ship with a firmware version that did not have the Web server. Therefore, I recommend updating to the latest firmware version first, as shown below.

Avaya has several interfaces like Phone, Web, and Settings file. The Settings file is placed on an HTTP(S) server but is optional. The file is called ‘46xxsettings.txt’. The filename can be changed through the file ‘J100Supgrade.txt’. Avaya provides an example in which all possible parameters, values, and defaults are listed. This Settings file interface is the most powerful interface. Nevertheless, a combination of the Phone and Web interface was sufficient for me.

Last tested firmware

4.0.1.0
retested in May 2020 with 4.0.5.0

Configuration

Password:	Phone: 27238 Web: no default value Web → Password
HTTPS:	enabled on default
Update:	download and extract the latest firmware package upload the file J100Supgrade.txt to an HTTP(S) server upload your .bin files to that server as well Phone → (hardware button) Options → Administration → IP Configuration → Servers → HTTP(S) Server After you leave that menu, the phone should restart automatically, fetch its firmware file, and update itself. Because that server could also be used to fetch a Settings file (and downgrade your connection), I removed the server: Phone → (hardware button) Options → Administration → IP Configuration → Servers → HTTP(S) Server: 0.0.0.0
Trust Anchors:	Web → Certificates → (Certificates) Upload Trusted Certificate
SIP-URI User:	Web → SIP → SIP User ID
SIP-URI Host:	Web → SIP → SIP Domain Web → SIP → Proxy Policy: Manual Web → SIP → SIP Proxy Server
SIP-over-TLS:	used on default Recommended: Web → Settings → Phone Menu Options → UDP Transport: Allow
SDES-sRTP:	Web → SIP → (SRTP) SDP Negotiation Capability (RFC 5939): No otherwise, the crypto line might get ignored (Digium Asterisk 13/chan_sip). Web → SIP → (SRTP) → Encrypt RTCP: Yes otherwise, the crypto line contains a silly ‘UNENCRYPTED RTCP’. Web → SIP → (SRTP) Media Encryption: aescm128-hmac80, none which is RTP/SAVP, 488, RTP/AVP The Setting file interface allows ordering crypto suites if you want to prefer AES-256 over AES-128 for example.

Software Bugs

SHA-2 Digest:	ignores `algorithm` and picks first; therefore incompatible with Linphone
DNS-NAPTR:	does not TLS but TCP or UDP only
Audio:	with my Digium Asterisk 13, Opus-Codec gets slower/faster Mitigation: Web → SIP → (Codecs) OPUS → Disable
Web Server:	Google Chrome fails with the default TLS certificate for HTTPs Mitigation: Web → Certificates → Upload Custom Webserver Certificate

Security

Privacy:	device phones home to https://des.avaya.com Web → Management → (Device Enrollment Service) DES Discovery: Disabled should disable it but did not in my tests.
Responsible Disclosure:	via PSIRT team
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

Call Reject (UDUB): Web → Settings → (Feature Access) Call Decline Policy: 486
time on display cannot be disabled
- Web → Date & Time → DST Start: LSunMar2L
  Web → Date & Time → DST Stop: LSunOct3L
  In case of no firmware update, it might not handle all future changes because the offset is fixed to one hour.
- Phone → Settings → Display → Time format: 24 Hour
- Phone → Settings → Display → Date format: dd.mm
Web → Settings → (Audio) Call Progress Tone Country: Germany
Web → Environment Setting → AURA: Disable
Web → Environment Setting → AYAYA: Disable

Model Range

J100 SIP: J179 (tested), J169, J159, J139, J129
no Web interface:
- 9600 Series: 96x1 SIP: 9601, 9608, 9608G, 9611G, 9621G, 9641G, 9641GS

Power Supply

5 V 2 A, Coaxial: 5.5 mm × 2.5 mm

← back to the other phones.