VoIP: SIP-over-TLS and sRTP: Polycom UC

The Web interface is a subset of the Phone interface. The Phone interface is a subset of the Provisioning interface. In the end, I had to use the Provisioning interface. Still, I prefer the Web interface as a starting point because it allows firmware updates, and via ‘Web → Utilities → Import’ you access the Provisioning interface without the need for a Provisioning server.

Some models start with Skype for Business on default. In that case, you have to change Phone → Sign In → (hardware button) Home → Settings → Advanced → Administration → Network → Base Profile → Generic. This changes to ‘Open SIP’.

I found no way to turn off certificate authentication. Therefore, the use case Opportunistic Security is not possible.

Last tested firmware

5.9.2 (Administration Guide)
retested in Oct. 2019 with 5.9.5
retested in May 2020 with 5.9.6

Configuration

Password:	user/123 and admin/456 Phone → Settings → Advanced → Administration → Change Password, or Web → Settings → Change Password
HTTPS:	enabled on default in Skype for Business, the Web Server is disabled on default; see above to change to ‘Open SIP’
Update:	Web → Utilities → Software Upgrade → Check for Updates
Trust Anchors:	Phone → Settings → Advanced → Administration → TLS → Custom CA Certificates → Install: Base64 Web → Settings → Network → TLS (Certificate Configuration → (CA Certificates →)): Base64 Enter the URL to a certificate in PEM format. Hit Install. Then, the phone loads that certificate. That field does not default to HTTP; therefore, you have to prepend ‘http://’. Content-Disposition, like provided via crt.sh is not supported. Redirections and upgrades to HTTPs are possible.
SIP-URI User:	Phone → Settings → Advanced → Administration → Line → 1 → Address Phone → Settings → Advanced → Administration → Line → 1 → Authentication → User ID or Web → Simple Setup → SIP Line Identification → Address Web → Simple Setup → SIP Line Identification → Authentication User ID
SIP-URI Host:	Phone → Settings → Advanced → Administration → Call Server → SIP → Server 1 → Address, or Web → Simple Setup → SIP Server … Port: 0 (enables DNS-SRV)
SIP-over-TLS:	enabled on default: does DNS-NAPTR and full TLS authentication for other scenarios like DUStel and Easybell Germany go for: Phone → Settings → Advanced → Administration → Call Server → SIP → Server 1 → Transport: TLS, or Web → Settings → SIP → Server 1 → Transport: TLS
SDES-sRTP:	Phone → Settings → Advanced → Administration → Line → 1 → SRTP Menu → SRTP Offer: Yes, or Web → Settings → Lines → Offer SRTP which is RTP/SAVP + RTP/AVP

Bad Defaults

Signaling DiffServ: Web → Settings → Network → QoS → Call Control → IP DSCP: 40 (default 44)

Software Bugs

SHA-2 Digest:	ignores `algorithm` and picks last
IPv6:	a VVX D60 does not work correctly if its connected VVX phone is using IPv6 for SIP

Security

Bugs:	DNS-SRV redirection disables Hostname Validation (IPv4 mode only), padlock icon even without SIP-over-TLS, and missing TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Mitigation: Web → Settings → Network → TLS → TLS Profiles → Application Profile 1 → Cipher Suite: Custom: `HIGH:-COMPLEMENTOFDEFAULT` Web → Settings → Network → TLS → TLS Applications → SIP: Application Profile 1
Responsible Disclosure:	via E-mail
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

Phone → Settings → Advanced → Administration → Web Server → Disabled
Call Reject (UDUB): Web → Utilities → Import… to get status 486
Phone → Settings → Basic → Preferences → Time & Date → Disable

Model Range

VVX 150 (tested), 250, 350, 450
VVX 101, 201, 301 (tested), 311, 401, 411, 501, 601, SoundStructure, D60 (tested)
VVX 300, 310, 400, 410, 500, 600, 1500

Power Supply

48 V 0.52 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.