VoIP: SIP-over-TLS and sRTP: Panasonic

Panasonic offers analog, DECT, Digital IP, and SIP phones. Here, we concentrate on the Open-SIP aka generic VoIP/SIP offerings, which can be used with Digium Asterisk for example. Panasonic delivers impressive hardware, advanced technology, for a reasonable price. Nevertheless, Panasonic has many business units that do not relate: For example, the KX-TPA, KX-UDT, and KX-TGQ series are CAT-iq 2.x enabled DECT handsets but have nothing common, because the whole KX-TGQ (including its software) was bought somewhere in China. What about the software of the KX-TPA and KX-UDT? Let us have a look!

Last tested firmware

retested in Oct. 2019 with 11.000
retested in May 2020 with 11.112


Password: admin/adminpass
has to be changed after first use
HTTPS: not available
Update: Web → Maintenance → Firmware
HTTPs client does not support TLS-SNI.
In the KX-HDV series, the filename has to end with ‘.fw’ and you have to enter the version, otherwise the update does not start.
Trust Anchors: Web → Maintenance → Provisioning → Master File URL: http://www.traud.de/voip/panasonic/sip.cfg
That example file contains SIP_TLS_ROOT_CERT_PATH, which must be Base64 encoded certificate(s). The KX-HDV series does not allow a certificate file larger than 6 KB. Otherwise you get [CERT]File download failure by "file size error" in the event log. Therefore, just 4 certificates are possible.
SIP-URI User: Web → VoIP → SIP → Line 1 → Phone Number
Web → VoIP → SIP → Line 1 → Authentication ID
SIP-URI Host: Web → VoIP → SIP → Line 1 → Registrar Server Address
Web → VoIP → SIP → Line 1 → Proxy Server Address
SIP-over-TLS: Web → VoIP → SIP → Line 1 → Transport Protocol: TLS
SDES-sRTP: Web → VoIP → SIP → VoIP 1 → Advanced → SRTP Mode: SRTP/RTP
which is RTP/AVP with crypto

Software Bugs

SHA-2 Digest: does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone
Audio: AMR-WB octet-aligned mode but not signaled in SDP
SIP-URI Dialing: proxy domain is appended, always
SIP-over-TLS: large SIP messages are ignored or return SIP status 488 (larger than 2 kB)
SIP connection: phone sends TCP-RST after two sometimes four hours, with the default 3600 seconds
Mitigation: Web → VoIP → SIP → Line 1 → (Advanced) REGISTER Expires Timer: 3480 (phone takes half, therefore phone re-registers at 29 minutes)
Signaling DiffServ: Web → VoIP → SIP → Line 1 → SIP Packet QoS (DSCP): 40
in IPv6, SIP stays at 0x00 (works for IPv4; works for RTP in IPv4 and IPv6)
Audio DiffServ: not enabled on default
Mitigation: Web → VoIP → SIP → VoIP 1 → RTP Packet QoS (DSCP): 46
Video DiffServ: phone uses the same class for audio and video
Video: own control image is not mirrowed
STUN: does not work with the server stun.1und1.de, I went for stun.gigaset.net; and
resolves not before but after the first REGISTER, therefore SIP registration fails with sip.1und1.de
SIP Keep-Alive: works via IPv4, does not work via IPv6
Cipher Suites: missing TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; questions its AES-256 sRTP support
IP Port Source not the actual port but SIP_SRC_PORT_n in the SIP header Contact (TCP and TLS affected; works with UDP)
Mitigation for TCP: unknown; service has to ignore it and re-use the TCP based connection instead
Mitigation for TLS: Web → VoIP → SIP → TLS Port random: No and optionally: Web → VoIP → SIP → Line 1 → Local SIP Port: any value


Bugs: missing TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 fixed in Jun. 2020 with firmware 13.002,
RSA+MD5 as Signature Algorithm (CVE-2015-7575) fixed in Jun. 2020 with firmware 13.002,
DNS-SRV redirection disables Hostname Validation fixed in Aug. 2019 with firmware 10.050; requires SIP_TLS_VERIFY_1="3" in the provisioning file,
padlock icon even without SIP-over-TLS fixed in Jun. 2019 with firmware 10.004; requires DISPLAY_SECURITY_CALL_ENABLE="Y" in the provisioning file,
SDES-sRTP key with reduced entropy (less then 30 bits) fixed in Feb. 2017 with firmware 04.002
Privacy: on default, SIP messages contain MAC
Mitigation: Web → VoIP → SIP Setting → User Agent → remove {mac}
on default, HTTP messages contain MAC
Mitigation: Web → Network → HTTP Setting → User Agent → remove {mac}
device phones home to https://provisioning.e-connecting.net:443/redirect/conf/{MAC}.cfg
Mitigation: avoid IPv4, use IPv6 only
Responsible Disclosure: via E-mail
Firmware Update: missing Automation
missing Newsletter


Model Range

Power Supply

6.5 V 0.5 A, Coaxial: 4.8 mm × 1.7 mm

back to the other phones.