VoIP: SIP-over-TLS and sRTP: RTX

Because RTX is active in DECT, many re-brand their products. However, re-branding does not mean re-testing. Although quite experienced companies re-sell RTX, the original product was full of issues. Furthermore, with some companies, it is difficult to get the current firmware version. Snom is one of the few who offer the current version in a timely manner. Therefore, I went for their variant.

Last tested firmware

04.50 Branch 0007
retested in Oct. 2019 with 04.50 Branch 0012
retested in May 2020 with 04.50 Branch 0013

Configuration

Password:	admin/admin Web → Security → Password
HTTPS:	Web → Security → HTTPS: Enabled
Update:	Web → Firmware Update Default is TFTP. When Version or Branch is zero, no firmware is searched. Each handset update takes 270 seconds; its status can be seen in Web → Extensions → Headset (yes, that is a tab) → FWU Progress.
Trust Anchors:	Web → Security → Import Root Certificate: Binary Web → Security → Use Only Trusted Certificates
SIP-URI User:	Web → Extensions → (Extension) Add Extension → Extension … Authentication User Name
SIP-URI Host:	Web → Servers → Registrar
SIP-over-TLS:	Web → Servers → SIP Transport: TLS
SDES-sRTP:	Web → Servers → Secure RTP Auth: Enabled Web → Servers → Secure RTP: Optional which is RTP/SAVP + RTP/AVP

Bad Defaults

HD Voice (G.722):

on default, disabled
Mitigation: Web → Servers → Codec Priority: (button) Reset Codecs

Software Bugs

Certificates:	SHA-384 (and SHA-512) hashed certificates cannot be parsed (DECT-687) which makes it incompatible with certificates from Sectigo and therefore DUStel and Linphone error message Import: ‘Not all parameters were saved, because validation failed!’ error message Syslog: ‘SIPSERVICE: CertificateInvalid: Untrusted’ Mitigation: A) Web → Security → Use Only Trusted Certificates: Disabled Mitigation: B) go for a SHA-256 chain like Let’s Encrypt or DigiCert
AES-256 sRTP:	In an incoming call, if the first crypto suite is unknown, the whole SDP is rejected with SIP status 488, even if supported crypto suites were offered. In other words: The first crypto suite offered must be known to RTX; otherwise, the call is not accepted.
SHA-2 Digest:	ignores `algorithm` and picks first; therefore incompatible with Linphone
DNS-NAPTR:	missing
Compact Form:	Content-Length (l) and Session-Expires (x) are not understood
SIP-over-TLS:	TLS handshake of the Single-Cell variants takes 2.55 seconds, which makes TLS incompatible with Easybell Germany
SDES-sRTP:	SDP parser does not understand media streams marked inactive, which makes sRTP incompatible with Easybell Germany
Audio DiffServ:	on default, `0xA0` Mitigation: Web → Network → RTP ToS/QoS: `0xB8`

Security

Bugs:	SIP-over-TLS without authentication (no Hostname Validation), missing TLS_ECDHE_[RSA\|ECDSA]_WITH_AES_128_GCM_SHA256
Privacy:	device phones home via HTTP to http://provisioning.snom.com Mitigation: Web → Management → Configuration Server: http://0.0.0.0 An empty value would do TFTP to .255.
Responsible Disclosure:	via E-mail
Firmware Update:	missing Automation Newsletter via E-mail

Miscellaneous

time on display cannot be disabled
- Web → Time → Set DST by country/region: Off
  Web → Time → Daylight Saving Time → Automatic
  In case of no firmware update, it might not handle all future changes because the timezone only knowns already existing zones.
- Phone → Settings → Time → Format: 24 hour
- Phone → Settings → Date → Format: 26.04.2019
Web → Country → Select country: Deutschland

Model Range

RTX8660, RTX8663, RTX8664, RTX9430
Agfeo DECT IP-Basis XS
Alcatel-Lucent 8318
Ericsson-LG iPECS GDC-800Bi
Konftel IP DECT 10
Mitel RFP 12
Sangoma DB20 of the DC201 package
Snom M300 of the M325 package (tested), M700, M900

Power Supply

5 V 0.6 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.