VoIP: SIP-over-TLS and sRTP: Polycom UC

The Web interface is a subset of the Phone interface. The Phone interface is a subset of the Provisioning interface. In the end, I had to use the Provisioning interface. Still, I prefer the Web interface as a starting point because it allows firmware updates, and via ‘Web → Utilities → Import’ you access the Provisioning interface without the need for a Provisioning server.

Some models start with Skype for Business on default. In that case, you have to change Phone → Sign In → (hardware button) Home → Settings → Advanced → Administration → Network → Base Profile → Generic. This changes to ‘Open SIP’.

I found no way to turn off certificate authentication. Therefore, the use case Opportunistic Security is not possible.

Last tested firmware

5.9.2 (Administration Guide)
retested in Oct. 2019 with 5.9.5
retested in May 2020 with 5.9.6

Configuration

Password: user/123 and admin/456
Phone → Settings → Advanced → Administration → Change Password, or
Web → Settings → Change Password
HTTPS: enabled on default
in Skype for Business, the Web Server is disabled on default; see above to change to ‘Open SIP’
Update: Web → Utilities → Software Upgrade → Check for Updates
Trust Anchors: Phone → Settings → Advanced → Administration → TLS → Custom CA Certificates → Install: Base64
Web → Settings → Network → TLS (Certificate Configuration → (CA Certificates →)): Base64
Enter the URL to a certificate in PEM format. Hit Install. Then, the phone loads that certificate. That field does not default to HTTP; therefore, you have to prepend ‘http://’. Content-Disposition, like provided via crt.sh is not supported. Redirections and upgrades to HTTPs are possible.
SIP-URI User: Phone → Settings → Advanced → Administration → Line → 1 → Address
Phone → Settings → Advanced → Administration → Line → 1 → Authentication → User ID
or
Web → Simple Setup → SIP Line Identification → Address
Web → Simple Setup → SIP Line Identification → Authentication User ID
SIP-URI Host: Phone → Settings → Advanced → Administration → Call Server → SIP → Server 1 → Address, or
Web → Simple Setup → SIP Server
… Port: 0 (enables DNS-SRV)
SIP-over-TLS: enabled on default: does DNS-NAPTR and full TLS authentication
for other scenarios like DUStel and Easybell Germany go for:
Phone → Settings → Advanced → Administration → Call Server → SIP → Server 1 → Transport: TLS, or
Web → Settings → SIP → Server 1 → Transport: TLS
SDES-sRTP: Phone → Settings → Advanced → Administration → Line → 1 → SRTP Menu → SRTP Offer: Yes, or
Web → Settings → Lines → Offer SRTP
which is RTP/SAVP + RTP/AVP

Bad Defaults

Signaling DiffServ: Web → Settings → Network → QoS → Call Control → IP DSCP: 40 (default 44)

Software Bugs

SHA-2 Digest: ignores algorithm and picks last
IPv6: a VVX D60 does not work correctly if its connected VVX phone is using IPv6 for SIP

Security

Bugs: DNS-SRV redirection disables Hostname Validation (IPv4 mode only),
padlock icon even without SIP-over-TLS, and
missing TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Mitigation:
  1. Web → Settings → Network → TLS → TLS Profiles → Application Profile 1 → Cipher Suite: Custom: HIGH:-COMPLEMENTOFDEFAULT
  2. Web → Settings → Network → TLS → TLS Applications → SIP: Application Profile 1
Responsible Disclosure: via E-mail
Firmware Update: missing Automation
missing Newsletter

Miscellaneous

Model Range

Power Supply

48 V 0.52 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.