VoIP: SIP-over-TLS and sRTP: RTX

Because RTX is active in DECT, many re-brand their products. However, re-branding does not mean re-testing. Although quite experienced companies re-sell RTX, the original product was full of issues. Furthermore, with some companies, it is difficult to get the current firmware version. Snom is one of the few who offer the current version in a timely manner. Therefore, I went for their variant.

Last tested firmware

04.50 Branch 0007
retested in Oct. 2019 with 04.50 Branch 0012
retested in May 2020 with 04.50 Branch 0013


Password: admin/admin
Web → Security → Password
HTTPS: Web → Security → HTTPS: Enabled
Update: Web → Firmware Update
Default is TFTP. When Version or Branch is zero, no firmware is searched.
Each handset update takes 270 seconds; its status can be seen in Web → Extensions → Headset (yes, that is a tab) → FWU Progress.
Trust Anchors: Web → Security → Import Root Certificate: Binary
Web → Security → Use Only Trusted Certificates
SIP-URI User: Web → Extensions → (Extension) Add Extension → Extension
… Authentication User Name
SIP-URI Host: Web → Servers → Registrar
SIP-over-TLS: Web → Servers → SIP Transport: TLS
SDES-sRTP: Web → Servers → Secure RTP Auth: Enabled
Web → Servers → Secure RTP: Optional
which is RTP/SAVP + RTP/AVP

Bad Defaults

HD Voice (G.722): on default, disabled
Mitigation: Web → Servers → Codec Priority: (button) Reset Codecs

Software Bugs

Certificates: SHA-384 (and SHA-512) hashed certificates cannot be parsed (DECT-687)
which makes it incompatible with certificates from Sectigo and therefore DUStel and Linphone
error message Import: ‘Not all parameters were saved, because validation failed!’
error message Syslog: ‘SIPSERVICE: CertificateInvalid: Untrusted’
Mitigation: A) Web → Security → Use Only Trusted Certificates: Disabled
Mitigation: B) go for a SHA-256 chain like Let’s Encrypt or DigiCert
AES-256 sRTP: In an incoming call, if the first crypto suite is unknown, the whole SDP is rejected with SIP status 488, even if supported crypto suites were offered. In other words: The first crypto suite offered must be known to RTX; otherwise, the call is not accepted.
SHA-2 Digest: ignores algorithm and picks first; therefore incompatible with Linphone
DNS-NAPTR: missing
Compact Form: Content-Length (l) and Session-Expires (x) are not understood
SIP-over-TLS: TLS handshake of the Single-Cell variants takes 2.55 seconds, which makes TLS incompatible with Easybell Germany
SDES-sRTP: SDP parser does not understand media streams marked inactive, which makes sRTP incompatible with Easybell Germany
Audio DiffServ: on default, 0xA0
Mitigation: Web → Network → RTP ToS/QoS: 0xB8


Bugs: SIP-over-TLS without authentication (no Hostname Validation),
Privacy: device phones home via HTTP to http://provisioning.snom.com
Mitigation: Web → Management → Configuration Server:
An empty value would do TFTP to .255.
Responsible Disclosure: via E-mail
Firmware Update: missing Automation
Newsletter via E-mail


Model Range

Power Supply

5 V 0.6 A, Coaxial: 5.5 mm × 2.1 mm

back to the other phones.