VoIP: SIP-over-TLS and sRTP: AVM FRITZ!Box Fon

Originally, AVM planned to add SDES-sRTP with FRITZ!OS 5. However, it took till 22nd Nov. 2019, twelve years later, until this feature was officially re-introduced.

Last tested firmware

7590: 07.19-78144, comes with OpenSSL 1.1.1
7490: 07.19-78142, comes with OpenSSL 1.1.1
6490 Cable: 07.20, comes with OpenSSL 1.0.2, therefore no TLS 1.3 and no Curve25519

Configuration

Password: has to be changed on first use
HTTPS: enabled on default
Update: System → Update
Trust Anchors: unknown list
SIP-URI User: Telefonie → Eigene Rufnummern → Neu → Telefonie-Anbieter: Anderer → Rufnummer für die Anmeldung
… Benutzername
SIP-URI Host: … Registrar
SIP-over-TLS: … Transportprotokoll: TLS
SDES-sRTP: … Der Anbieter unterstützt verschlüsselte Telefonie über SRTP nach RFC 3711 und RFC 4568: On
… Media Protocol: RTP/AVP und RTP/SAVP
which is RTP/SAVP + RTP/AVP
Miscellaneous: Ortsvorwahl für ausgehende Gespräche einfügen: Off
Interne Rufnummer in der FRITZ!Box: make up a number

Software Bugs

SHA-2 Digest: does not pick MD5, continues without header Authorization, therefore is not able to register (AVM Ticket 3357846); therefore incompatible with Linphone
AES-GCM sRTP: In an incoming call, if the first crypto suite is unknown, the whole SDP is rejected with SIP status 488, even if supported crypto suites were offered. In other words: The first crypto suite offered must be known to AVM; otherwise, the call is not accepted. (AVM Ticket 3445658)
OsRTP: Media Protocol: RTP/AVP which is RTP/AVP with crypto
The remote party has to answer with (A) RTP/AVP without crypto or (B) RTP/AVP with crypto; (C) RTP/SAVP as an answer is not possible. (AVM Ticket 3445041)
DNS-NAPTR: no TLS, just TCP and UDP (AVM Ticket 3483627)
Client TLS: offers TLS 1.3, TLS 1.2, TLS 1.1 but no TLS 1.0
Server TLS: when using the SIP B2BUA, only UDP and TCP but not TLS is offered
DiffServ: SIP and RTP depend on the settings for the Internet Service Provider (ISP; default 0); although in mode IP Client, you are the ISP yourself. (AVM Ticket 3545501)
Mitigation: change (Perl, Python, PHP) the parameter rtp_prio to 46 in the file voip.cfg
when using the SIP B2BUA, SIP is at sip_prio and RTP is fixed at 56
Signaling DiffServ: works not for TCP (and TLS), only for UDP (AVM Ticket 3581282)
Port-Forwarding DiffServ: When using a SIP device behind a FRITZ!Box as router, and you created a Port Forwarding to that SIP device, FRITZ!OS zeroizes the DSCP field both for incoming and outgoing packets. (AVM Ticket 3581232)
Compact Form: Session-Expires (x) not understood (AVM Ticket 3695572)
Although because of this calls get dropped when the FRITZ!Box was designated as the session refresher, Session Timers are not enabled on default and cannot be enabled via the Web interface. For my tests, I changed the parameter use_session_timer in the file voip.cfg.
IP Port Source: not the actual port but the port 5061 in the SIP headers Via and Contact (AVM Ticket 3712690) fixed since FRITZ!OS 07.24

Miscellaneous

Model Range

Power Supply

12 V 2.5 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.