VoIP: SIP-over-TLS and sRTP: Sipura

Phones from Cisco do not have their own Web interface but are configured via a provisioning server, the Cisco Unified Communications Manager (CUCM). Those phones can be changed from SCCP to SIP. Because zillions of those phones are sold via eBay, you find a tremendous amount of documentation to get those phones working…

Phones from Sipura do have a Web interface for configuration. Therefore, you need no central configuration server; no need to deal with DHCP, TFTP, and such XML files. Cisco bought Sipura and their Sipura Phone Adapters (SPA). Cisco sold them under (Linksys) SPAxxxG till the year 2016. Then, this platform was named ‘Third-Party Call Control’ until the name of today was introduced: ‘Multiplatform Firmware’ (MPP). Still, their stock-keeping unit (SKU) contains ‘3PCC’. Phones without 3PPC in SKU cannot be changed to this Sipura firmware.

Even before SDES-sRTP was created in 2004, Sipura offered sRTP.

Last tested firmware

11.2.3 (Administration, Provisioning)
Downloads Home → Collaboration Endpoints → IP Phones → IP Phones with Multiplatform Firmware
retested in Dec. 2019 with 11.3.1
retested in May 2020 with 11.3.1 MSR1-3

Configuration

Password:	Web → Voice → System → Admin Password
HTTPS:	Web → Voice → System → Enable Protocol: Https Web → Voice → System → Web Server Port: 443
Update:	Web → Voice → Provisioning → (Firmware Upgrade) Upgrade Rule: http:// … .loads
Trust Anchors:	Web → Voice → Provisioning → (CA Settings) Custom CA Rule: http:// … .pem built-in trust anchors cannot be viewed
SIP-URI Host:	Web → Voice → Att Console → Server Type: Asterisk Web → Voice → Ext 1 → Proxy Web → Voice → Ext 1 → Use DNS SRV Web → Voice → Ext 1 → DNS SRV Auto Prefix
SIP-URI User:	Web → Voice → Ext 1 → User ID
SIP-over-TLS:	Web → Voice → Ext 1 → SIP Transport: AUTO Web → Voice → Ext 1 → TLS Name Validate
SDES-sRTP:	Phone → Cogwheel → User preferences → Call preferences → Secure Call: On (use the central navigation key to change value) → (button) Set which is RTP/AVP with crypto For older models, you have to change Web → Voice → SIP → SRTP Method from the default value ‘x-sipura’ to ‘s-descriptor’.

Software Bugs

SHA-2 Digest:	ignores `algorithm` and picks last
IP Port Source:	not random on default Mitigation: Web → Voice → SIP → SIP TCP Port Min: 49152-65535

Security

Bugs:	~~DNS-SRV redirection disables Hostname Validation~~ fixed in Nov. 2019 with firmware 11.3.1 padlock icon even without SIP-over-TLS, and ECDHE curves with less than 224 bit
Responsible Disclosure:	via PSIRT team
Firmware Update:	missing Automation missing Newsletter

Miscellaneous

Phone → Cogwheel → Network configuration → Web server: Off
time on display cannot be disabled
- Web → Voice → System → Primary NTP Server
- Web → Voice → Regional → Time Zone: GMT+01:00
- Web → Voice → Regional → Daylight Saving Time Rule
- Phone → Cogwheel → Administrator → Date/Time → Time format: 24hr
- Phone → Cogwheel → Administrator → Date/Time → Date format: not compatible with German
Web → Voice → Regional → Locale: de-DE

Model Range

Cisco IP Phone 8800 Series: 8811, 8832, 8841, 8845, 8851, 8861, 8865
Cisco IP Phone 7800 Series: 7811, 7821 (tested), 7832, 7841, 7861
Cisco IP Phone 6800 Series: 6821, 6841, 6851, 6861
Cisco IP DECT 210 Multi-Cell Base Station

All of those phones come in several software variants. For this guide to apply, you need an SKU containing 3PCC, like CP-7821-3PCC-K9=.

Power Supply

48 V ?.? A, Coaxial: 5.5 mm × 2.5 mm

← back to the other phones.