VoIP: SIP-over-TLS and sRTP: Gigaset pro

In the year 2010, Gigaset tried SiTel Rhea, which offered SDES-sRTP. A Gigaset first. However, that platform got ditched and is unmaintained since the year 2015 = end-of-life. Go figure! Although reported within the lifetime of the software, the manufacturer did not address any of my reports. Although the phone offers not IPv4/IPv6 dual-stack but IPv6-only, its implementation worked out of the box for me; in severe contrast to the other phones tested.

Last tested firmware

02.01.00

Configuration

Password:	Admin: admin User: empty Phone: 0000 Web → Settings → Security
HTTPS:	Web → Settings → Network → Server → HTTP Connection Type: HTTP + HTTPS
Update:	Web → Settings → System → Firmware → User-defined firmware file
Trust Anchors:	Web → Settings → Network → Security → (Certificates) Accept all Certificates: No → Import a local certificate: PEM requires root of certificate chain as trust anchor; therefore and because the phone does not accept all roots, it might be easier to connect first and then accept the shown ‘Invalid Certificate’.
SIP-URI User:	Web → Settings → Telephony → Connections → Edit → Authentication Name
SIP-URI Host:	Web → Settings → Telephony → Connections → Edit → Domain
SIP-over-TLS:	Web → Settings → Network → Security → Choose Network Protocol: TLS
SDES-sRTP:	Web → Settings → Network → Security → SRTP Web → Settings → Network → Security → Accept Non-SRTP Call (only for incoming) which is RTP/SAVP

Software Bugs

DNS-NAPTR:	missing
Session Timers:	broken; reset of sRTP-ROC, when the remote party sends re-INVITE
Signaling DiffServ:	works not for TCP (and TLS), only for UDP
IPv6:	not dual-stack but IPv4-only or IPv6-only

Security

Bugs:	SDES-sRTP key with reduced entropy (keys observed were 6d61737465727c2f8020f5b8xxxxxx5x73616c74c0a80060c0a80060xxxx), DNS-SRV redirection disables Hostname Validation, padlock icon even without SIP-over-TLS, missing TLS_ECDHE_[RSA\|ECDSA]_WITH_AES_128_GCM_SHA256 Cipher Suites include RC4, Single-DES, EXPORT (OpenSSL 1.0.0q or older), and Triple-DES preferred over RC4 (OpenSSL 1.0.0m or older), ECDHE curves with less than 224 bit (OpenSSL 1.0.0; ssl/t1_lib.c:nid_list)
Privacy:	Automatic Update contains MAC Automatic Update is not HTTPs but HTTP Mitigation: Web → Settings → System → Firmware Update → Automatic check: No SIP messages contain MAC
Firmware Update:	missing Automation, when IPv6 is enabled missing Newsletter

Miscellaneous

time on display cannot be disabled
- Web → Settings → System → Date and Time
  Might break in the future. Then, you have to update the time locally.
  The phone lacks several timezones already, like MMT.
- Web → Settings → System → Display → 24-hour clock
- Web → Settings → System → Display → Date Format
Web → Settings → Telephony → Local Settings → Tone Scheme: Germany
Web → Settings → Network → Server → Phone System: not Asterisk but Standard

Model Range

Gigaset DE310 IP PRO
elmeg IP120, Gigaset DE410 IP PRO
elmeg IP130, Gigaset DE700 IP PRO
elmeg IP140, Gigaset DE900 IP PRO (tested)

Power Supply

12 V 1.5 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.