VoIP: SIP-over-TLS and sRTP: Gigaset pro

In 2004, Gigaset started with VoIP/SIP competing with the German company AVM. Back then, Gigaset created products like the ‘Gigaset SX541 WLAN dsl’, ‘Gigaset DE380 IP R’, and ‘Gigaset S675 IP’. Those software branches still exist today with the ‘Gigaset DX800A all in one’ and the ‘Gigaset N510 IP PRO’. Those devices never supported SDES-sRTP. Then, Gigaset tried bought-in platforms and rebadged them, like with the ‘Gigaset DE900 IP PRO’ which offered SDES-sRTP but were buggy and are unmaintained since 2016. What about the current Maxwell line? Let us have a look!

Last tested firmware

3.12.10
retested in Oct. 2019 with 3.14.8
retested in May 2020 with 3.16.7

Configuration

Password:	Admin/admin and User/user Web → (in the upper right) User Web → Change Password
HTTPS:	Web → Settings → System → Phone Web Server → HTTP Connection Type: HTTP + HTTPS
Update:	Web → Settings → System → Firmware → User defined firmware file
Trust Anchors:	Web → Settings → System → Security → (Certificates) Accept all Certificates: No → Import local certificate
SIP-URI User:	Web → Settings → Telephony → Connections → Edit → Authentication Name
SIP-URI Host:	Web → Settings → Telephony → Connections → Edit → Domain
SIP-over-TLS:	Web → Settings → Telephony → VoIP → (SIP) Transport Protocol: TCP Web → Settings → Telephony → VoIP → (Security) SIP via TLS: On Web → Settings → Telephony → Connections → Edit → Redundancy - DNS query: SRV + A
SDES-sRTP:	Web → Settings → Telephony → VoIP → (Security) SRTP: Yes which is RTP/SAVP + RTP/AVP

Software Bugs

DHCP:	DNS server is not retrieved via DHCP Mitigation: Web → Settings → Network → IP → (Address Assignment) IP Address Type: static → (button) Set → IP Address Type: dynamic → (button) Set This has to be done once when you get a used phone (and whenever you put it in another network with a different DNS server).
SHA-2 Digest:	does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
DNS-NAPTR:	missing
IP Port Source:	not the actual port but the port 5061 in the SIP headers `Via` and `Contact` Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead

Security

Bugs:	SIP-over-TLS without authentication
Privacy:	phones home to http://profile.gigaset.net/device/%DVID/ Mitigation: Web → Settings → System → Provisioning → Server: http://0.0.0.0 (empty not allowed; just ‘http://’ then queried DNS for ‘provisioning.xml’) Mitigation: Web → Settings → System → Firmware Update → Automatic check: Yes
Responsible Disclosure:	via the data-privacy office
Firmware Update:	missing Newsletter

Miscellaneous

time on display cannot be disabled
- Web → Settings → System → Date and Time
  Might break in the future. Then, you have to update the time locally.
- Web → Settings → System → Date and Time → Time format: 24h
- Web → Settings → System → Date and Time → Date order: Day Month Year
Web → Settings → Telephony → Call Settings → (Tone Selection) Tone Scheme: Germany
Web → Settings → Telephony → Phone System: STANDARD

Model Range

elmeg IP640, Gigaset Maxwell 4
elmeg IP630, Gigaset Maxwell 3
Gigaset Maxwell 2
elmeg IP620, Gigaset Maxwell Basic (tested)

Power Supply

12 V ?.? A, Coaxial: 5.5 mm × 2.5 mm

← back to the other phones.