VoIP: SIP-over-TLS and sRTP: Digium

Digium is the creator and maintainer of the open-source VoIP/SIP server Asterisk. Currently, they have four platforms:

D80, based on the Android Open Source Project (AOSP),
D-Series, based on PJProject and an embedded UNIX,
A30, based on Fanvil X5 and higher, and
A-Series, based on Fanvil X4 and lower.

This Web page is about the D-Series, which has a phone, Web, and provisioning interface for configuration. Within the phone interface, you cannot enable SIP-over-TLS. Within the Web interface, you cannot enable SDES-sRTP. Consequently, you have to use the provisioning interface. Furthermore, if you change something in the Web interface, SDES-sRTP is reset to its default = disabled. Therefore, I recommend disabling the Web interface, which is possible via provisioning: web_ui_enabled. You do not need Digium Switchbox or Asterisk for this phone if you are able to edit your DHCP server to send option 66 (tftp-server-name).

Last tested firmware

2_7_0
retested in Oct. 2019 with 2_8_6
retested in May 2020 with 2_9_6

Configuration

Password:	admin/789 Phone → Main Menu → [4] Admin Settings → [7] Change Admin Password
HTTPS:	not available, confirmed by the support team
Update:	Web → General → Firmware
Trust Anchors:	Provisioning: `certs` built-in trust anchors cannot be viewed
SIP-URI User:	Phone → Main Menu → [4] Admin Settings → [6] SIP Accounts → Add New → User ID Web → Lines → 1 → User ID
SIP-URI Host:	Phone → Main Menu → [4] Admin Settings → [6] SIP Accounts → Edit → Server Web → Line → 1 → Hostname
SIP-over-TLS:	Phone: not possible Web → Line → 1 → Transport: TLS Web → Line → 1 → Port: empty (enables DNS-SRV)
SDES-sRTP:	Phone: not possible Web: not possible Provisioning: example which is RTP/SAVP

Software Bugs

SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
DNS-NAPTR:	missing
Session Timers:	broken; reset of sRTP-ROC, when re-INVITE
Call Reject (UDUB):	sends status 603; found no way to send status 486
Web interface:	‘ID is a required parameter. (Network)’ Mitigation: Network → (Virtual LAN) Discovery Mode: from None go for Manual and then back to None

Security

Bugs:	~~SIP-over-TLS without authentication~~ fixed in Nov. 2019 with firmware 2_9_1, padlock icon even without SIP-over-TLS, uses a shield as an icon instead of the metaphor of a padlock icon, Cipher Suites include RC4 (even MD5), ECDHE curves with less than 224 bit (OpenSSL 1.0.1), trust anchors are outdated (Symantec) and cannot be overruled, and the admin password is limited to digits, and its length is 3 to 10 Mitigation: disable the Web interface via provisioning: web_ui_enabled
Privacy:	device phones home to phoneservice.digium.com
Responsible Disclosure:	not available
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

time on display cannot be disabled
- Phone → Main Menu → [3] Preferences → Localization Settings → Locale
  Might break in the future. Leaves you behind (or before) with an incorrect time.
- Phone → Main Menu → [3] Preferences → Localization Settings → Time Format: 14:15 (24 Hour)

Model Range

Digium D60, D62, D65 (tested)

According to the provisioning guide, the older models D40, D45, D50, and D70 do not allow SDES-sRTP at all. Same for the AOSP based D80. Alternatively, the A-Series might be tempting…

Power Supply

5 V 2 A, Coaxial: 5.5 mm × 2.5 mm

← back to the other phones.