Let us have a look at CommuniGate Pro (sometimes called just CGatePro, CGPro, or CGP) which plays the role of a VoIP/SIP server (registrar and proxy) for attached phones, and which plays the role of a VoIP/SIP client to connect to remote SIP services like PSTN. Therefore, such a software is called a Back-to-Back User Agent (B2BUA) because it not only transforms the signaling (SIP) but also the media (RTP). In 2004 with 4.2, Stalker Software added VoIP/SIP to its CommuniGate Pro. In 2012 with 6.0, SDES-sRTP was added. In 2015 with 6.1.6, TLS-PFS was added. Although TLS 1.2 (since 6.0) and AES-GCM (since 6.2) are supported in general, they are still not available for remote SIP (RSIP) connections. Go figure!
6.2.15 (requires login since Jan. 2020)
| Password: | The password for postmaster (root) has to be set within 10 minutes after first start. Web → Users → Domains → your domain → Objects → postmaster → (Settings) CommuniGate Password |
| HTTPS: | enabled on default, port 9010 Web → Settings → Services → HTTPA → Listener → (TCP) Init SSL/TLS = on: Port |
| Server Certificate: | Web → Users → Domains → your domain → Security → SSL/TLS → (Private Key) Key Size: Import |
| Trust Anchors: | Web → Users → Security → Trusted |
| SIP-URI User: | (Registrar) Web → Users → Domains → your domain → Objects → postmaster → Real-Time → RSIP → Account (Proxy) Web → Users → Account Defaults → PSTN → Name for Gateway |
| SIP-URI Host: | (Registrar) Web → Users → Domains → your domain → Objects → postmaster → Real-Time → RSIP → at Host (Proxy) Web → Users → Account Defaults → PSTN → Gateway Domain |
| SIP-over-TLS: | Web → Settings → Real-Time → SIP → Transport → (Send Encrypted) Signals: to Domains: Star = Wildcard |
| SDES-sRTP: | Web → Settings → Real-Time → SIP → Transport → (Send Encrypted) Media: to Domains (SRTP) … Optional Media Security |
| AES-128 TLS: | missing; therefore not compatible with DUStel or Easybell |
| DNS-NAPTR: | missing |
| Session Timers: | not tested because SDES-sRTP did not work (see below) |
| IP Port Source: | not random on default, 5060 always |
| Bugs: | SDES-sRTP not seen for outgoing connections (both PSTN and SIP-URI Dialing), DNS-SRV redirection disables Hostname Validation, missing TLS_ECDHE_[RSA|ECDSA]_WITH_AES_128_GCM_SHA256, Cipher Suites are just RC4 (even MD5) ECDHE curves with less than 224 bit built-in certificates cannot be disabled |
| Responsible Disclosure: | ticket system |
| Software Update: | no automation no newsletter (anymore) |