VoIP: SIP-over-TLS and sRTP: Digium

Digium is the creator and maintainer of the open-source VoIP/SIP server Asterisk. Currently, they have four platforms:

This Web page is about the D-Series, which has a phone, Web, and provisioning interface for configuration. Within the phone interface, you cannot enable SIP-over-TLS. Within the Web interface, you cannot enable SDES-sRTP. Consequently, you have to use the provisioning interface. Furthermore, if you change something in the Web interface, SDES-sRTP is reset to its default = disabled. Therefore, I recommend disabling the Web interface, which is possible via provisioning: web_ui_enabled. You do not need Digium Switchbox or Asterisk for this phone if you are able to edit your DHCP server to send option 66 (tftp-server-name).

Last tested firmware

2_7_0
retested in Oct. 2019 with 2_8_6
retested in May 2020 with 2_9_6

Configuration

Password: admin/789
Phone → Main Menu → [4] Admin Settings → [7] Change Admin Password
HTTPS: not available, confirmed by the support team
Update: Web → General → Firmware
Trust Anchors: Provisioning: certs
built-in trust anchors cannot be viewed
SIP-URI User: Phone → Main Menu → [4] Admin Settings → [6] SIP Accounts → Add New → User ID
Web → Lines → 1 → User ID
SIP-URI Host: Phone → Main Menu → [4] Admin Settings → [6] SIP Accounts → Edit → Server
Web → Line → 1 → Hostname
SIP-over-TLS: Phone: not possible
Web → Line → 1 → Transport: TLS
Web → Line → 1 → Port: empty (enables DNS-SRV)
SDES-sRTP: Phone: not possible
Web: not possible
Provisioning: example
which is RTP/SAVP

Software Bugs

SHA-2 Digest: does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
DNS-NAPTR: missing
Session Timers: broken; reset of sRTP-ROC, when re-INVITE
Call Reject (UDUB): sends status 603; found no way to send status 486
Web interface: ‘ID is a required parameter. (Network)’
Mitigation: Network → (Virtual LAN) Discovery Mode: from None go for Manual and then back to None

Security

Bugs: SIP-over-TLS without authentication fixed in Nov. 2019 with firmware 2_9_1,
padlock icon even without SIP-over-TLS,
uses a shield as an icon instead of the metaphor of a padlock icon,
Cipher Suites include RC4 (even MD5), ECDHE curves with less than 224 bit (OpenSSL 1.0.1),
trust anchors are outdated (Symantec) and cannot be overruled, and
the admin password is limited to digits, and its length is 3 to 10
Mitigation: disable the Web interface via provisioning: web_ui_enabled
Privacy: device phones home to phoneservice.digium.com
Responsible Disclosure: not available
Firmware Update: missing Automation
missing Newsletter

Miscellaneous

Model Range

According to the provisioning guide, the older models D40, D45, D50, and D70 do not allow SDES-sRTP at all. Same for the AOSP based D80. Alternatively, the A-Series might be tempting…

Power Supply

5 V 2 A, Coaxial: 5.5 mm × 2.5 mm

back to the other phones.