SPA112 TLS SRTP Support

wvt560994 · ‎11-21-2012

How do you set this thing up to use TLS? You can select TLS under sip transport but thats it. Where do I upload the certificates? I called Cisco Support and they couldnt figure it out either.

ADAM CRISP · ‎11-24-2012

Hi Matt,

I have TLS/SRTP working OK to our network

What are you connecting your SPA to - a SIP service provider or to a SIP PBX - CME etc?

SIP Service provider support for TLS and SRTP is rare - so check to see whether they support this before wasting your time.

The SPA's when using TLS don't check certificates and as far as I am aware you can't upload one directly from the web interface (and since checking isn't performed it's unnecessary).

Older SPA's uses to use propriatory SRTP, however the newer ones including the SPA112 are set to use the standard s-descriptor

The proceduere for configuring sip over TLS/SRTP is the same as for the SPA phones.

For an example check out STEP 3 on

http://www.voip.co.uk/cisco-spa300500-telephones/

miss out points 5&6 as the SPA112 as mentioned already does s-descriptor

I hope this helps.

Adam

Line 1 Status

Hook State: Off

Registration State: Registered

Last Registration At: 11/24/2012 08:14:22

Next Registration In: 33 s

Message Waiting: No

Mapped SIP Port:

Call Back Active: No

Last Called Number: 01869222500

Last Caller Number:

Call 1 State: Connected

Call 1 Tone: None

Call 1 Encoder: G711a

Call 1 Decoder: G711a

Call 1 FAX: No

Call 1 Type: Outbound, Secure

Call 1 Remote Hold: No

Call 1 Callback: No

Call 1 Peer Name:

Call 1 Peer Phone: 01869222500

Call 1 Duration: 00:00:36

Call 1 Packets Sent: 1800

Call 1 Packets Recv: 1780

Call 1 Bytes Sent: 288000

Call 1 Bytes Recv: 284800

Call 1 Decode Latency: 110 ms

Call 1 Jitter: 4 ms Call 2 Jitter:

Call 1 Round Trip Delay: 0 ms

Call 1 Packets Lost: 0

Call 1 Packet Error: 0

wvt560994 · ‎11-24-2012

Im trying to get it to connect to a local Asterisk 11 server. The Asterisk docs show using certificates on both ends

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial.

Thanks for the help!

ADAM CRISP · ‎11-24-2012

OK.

I recommend getting the ATA working with SIP/UDP first. You then know all the SIP stuff is OK. Then make the few configuration changes to enable TLS and SRTP -

i.e.

Click on Voice in Admin mode

1. Click Line 1, SIP Settings, Sip Transport = TLS

2. Unless you have a fully configured set of DNS parameters, you probably want to change the SIP port to 5061

3. Supplementary services Service Subscription - I'd make sure Secure Call Serv: yes set to yes

4. Click User 1,

Supplementary service setting: Secure Call setting: YES

I know nothing about Asterisk with regards to TLS. I don't know whether this will expect you to upload a certificate from the SPA - I would suggest that you may want to look for a setting to disable certificate checking.

thanks

Adam

bogdanb · ‎11-06-2021

Reviving an old topic.

I'm trying to connect an SPA112 running FW 1.4.1SR5 to my RASPBX (Asterisk 16.13.0 & FreePBX 15.0.16.75) and I'm not sure what are the settings that I need to apply for TLS.

So basically what I understand so far:

Voice > Line1
SIP settings: SIP transport = TLS, SIP port = 5061

Voice > User 1

Supplementary Service Settings: Secure Call Setting: YES

What about the certificate? My PBX uses a Let's Encrypt certificate and so far I didn't need to download the certs myself. My other extensions (Zoiper on Android) handled the certificate automatically. How do I handle the certs with SPA112?

Thanks

Dan Lukes · ‎11-07-2021

Neither application nor operating system should claim CA trusted on behalf of you. It's Zoiper (or Android) faulty behavior, not SPA112 issue. Only you shall have sovereignty to claim CA trusted.
Unless you intentionally did it on SPA112, LE certificates are rejected as untrusted.

bogdanb · ‎11-07-2021

It's my fault, my statement wasn't very clear. What I wanted to say is that Zoiper gives me the opportunity to accept/trust the certificate automatically and I don't need to download/import it myself. I don't know to do this with SPA112, there is no message coming up, informing me that I have to trust a certificate. Maybe I'm not configuring it correctly.

Dan Lukes · ‎11-07-2021

Certificate of trusted root needs to be configured as "Custom CA". Only single CA can be configured trusted at the same time. Intermediate certificates, if necessary, needs to be sent by server during TLS setup.

See also Delay caused by SSL hanshaking

bogdanb · ‎11-08-2021

Ok, so in this case I need to set my Custom CA URL to https://letsencrypt.org/certificates/ namely ISRG Root X1? My PBX is configured to use certificates from Let's Encrypt in order to secure the communication.

bogdanb · ‎11-08-2021

Nope, apparently not

[2021-11-08 10:50:20] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> <SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca> len: 0 peer: xx.xx.xx.xxx:5078

Custom CA Status
Custom CA Provisioning Status:	Last provisioning failed on 11/08/2021 10:50:10
Custom CA Info:	Not Installed

Dan Lukes · ‎11-08-2021

Are you trying to fetch certificate via HTTPS ? Really ?
Is the SSL session in question secured by certificate issued by trusted root CA ?

bogdanb · ‎11-08-2021

Is the SSL session in question secured by certificate issued by trusted root CA ?

No

bogdanb · ‎11-08-2021

Are you trying to fetch certificate via HTTPS ? Really ?

It's my extension trying to connect and the message is given by the PBX. The extension is configured as I already described before.

Again, my question was related to the settings that I need to make so that my SPA112 can connect securely.

Certificate of trusted root needs to be configured as "Custom CA".

According to Let's Encrypt: "Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1.

Active
- ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
  - Self-signed: der, pem, txt
  - Cross-signed by DST Root CA X3: der, pem, txt
Active, limited availability
- ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2)
  - Self-signed: der, pem, txt
  - Cross-signed by ISRG Root X1: der, pem, txt "

Any ideas?

Dan Lukes · ‎11-08-2021

Your extension is trying do download root certificate via HTTPS just because you commanded it to fetch from HTTPS. It's doing nothing by self. You can either use a HTTP source (not HTTPS) or you can use HTTPS, but it must use certificate issued by trusted authority. I assume you wish to use HTTP.

bogdanb · ‎11-08-2021

I haven't commanded my extension to do anything. The only settings that I performed in addition to setting up the account/extension were the following:

SIP Transport: TLS

SIP Port: 5061

Secure Call Setting: Yes

But ...

Registration State: Failed

I'll try to open a case with CISCO about this

LE: set also Provisioning > Configuration profile > Transport Protocol: HTTP (instead of HTTPS). Doesn't help.