Solved: SPA112 with 1.4.1 sr3 wont register on VoIP.ms with TLS/SRTP.

EdwardStavin0689 · ‎05-11-2019

Hi. Wondering if anyone has tried TLS/SRTP with a Cisco SPA ATA or phone and this carrier?

I started with this SPA112 with factory default settings, adjusted them using the Voip.ms requirements for UDP mode and it registered and made calls successfully. I also tried it in TCP mode and it registered and made calls successfully. After that I applied the settings proposed by Voip.ms in their wiki https://wiki.voip.ms/article/Call_Encryption_-_TLS/SRTP but this device failed to register in TLS/SRTP mode. (On a separate note I have a softphone set for TLS/SRTP that works OK with Voip.ms but not this iron.)

After some reading I discussed issue with tech support at the carrier. They quickly responded by supplying an http URL to insert into the Voice Provisioning section and test as the Custom CA URL. While the Custom CA URL installs successfully according to the Voice Information screen the device still fails to register.

I am attaching the debug output from the ATA during the time I followed the configuration steps proposed by Voip.ms. Comments have been added to hilite each step. If anyone can spot anything meaningful in the log would appreciate hearing about it.

Thanks

Edward

Dan Lukes · ‎05-13-2019

Regarding forgetting LetsEncrypt and using certificates issues by Cisco, do you mean voip.ms on their side need to use the Cisco certificates?

It must be a misunderstanding. The original text says about voip.ms support: "They quickly responded by supplying an http URL to insert into the Voice Provisioning section and test as the Custom CA URL.". According it I assumed voip.ms is using http to deliver the configuration. I assumed you are trying to configure SPA112 by self, using own HTTP(S) server.

With third party server out of your's control, you have no choice but to import appropriate root CA via Custom CA URL. But it needs to be done once. I'm almost sure VOIP.MS will not switch certificate supplier from LetsEncrypt to Cisco. VOIP.MS supports not only Cisco's phones it supports wide range of vendors so Cisco's certificate is not solution for VOIP.MS.

I'm trying to bring all this information into one place to make this as easy as possible for anyone looking at making this a permanent change.

Most of information I mentioned are taken from Administrators guide.

View solution in original post

EdwardStavin0689 · ‎05-13-2019

Hi Dan. Thank you for the advice to read Debug and syslog Messages from SPA1x2 I did not realize there were two different places to set logs on the SPA device. I recall reading the output of the one I posted and thought it somewhat light on detail but then I was new to this device. That is when I thought to ask the forum.

To make a long story short yes the carrier supplied an HTTP URL for the custom CA URL field for testing.

I got wireshark going for a second go around. After the test this past weekend failed it was discovered today they made an honest error in implementing the certificate. That was fixed up this afternoon. As of about half an hour ago the SPA112 has successfully registered with TLS and a few test calls have been made. Once the error was found and corrected all I had to do was remove the custom CA URL, reboot the device and reinstall the same custom CA URL. I don't know if the reboot was necessary but I figured it could not hurt after all the messing around.

Thank you everyone.

Edward

View solution in original post

Dan Lukes · ‎05-11-2019

Syslog you disclosed is log of SPA112's operating system. It have no value for the purpose of debugging SIP issues. Syslog mesages fired by voice application running on SPA112 needs to be captured. Read Debug and syslog Messages from SPA1x2

Note that TLS, SIP and SRTP are (almost) independent communication layers. TLS connection needs to be established first. It's meaningless to speak about SIP (including SIP register) unless TLS is established successfully.

bb18 · ‎05-11-2019

I have the same spa112 with the same 1.4.1 sr3 and also can't connect to voip.ms with tls/srtp. It looks like the spa doesnt want to connect with port 5061. I have this line active on port 5061, and it worked before enabling tls.

Here's the spa syslog.

05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1]SIP/TCP Backoff 2000 ms
05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connect Failed
05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connect=-1
05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connecting(11)...
05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1:0]SIP/TCP:Connect=0
05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1:0]SIP/TCP:Connecting(11)...
05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1]SIP/TCP NewLocalPort:0
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1]SIP/TCP Backoff 1000 ms
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connect Failed
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connect=-1
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connecting(11)...
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1:0]SIP/TCP:Connect=0
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1:0]SIP/TCP:Connecting(11)...
05-12-2019 00:21:41 Local0.Info 192.168.6.251 [1]SIP/TCP NewLocalPort:5061

Dan Lukes · ‎05-12-2019

05-12-2019 00:21:42 Local0.Info 192.168.6.251 [1:0]SIP/TLS:Connect Failed

Messages with facility Local0 and severity info messages are not enough to analyze the issue. We need all syslog messages from SPA112 - including but not limited to those of facility local1, local2 and local3 and severity debug .

bb18 · ‎05-12-2019

Partly resolved.

It looks like adding the let encrypt root certificate to the spa-112 lets this work.

But the spa-112 doesn't take https links (https://letsencrypt.org/certs/trustid-x3-root.pem.txt), so putting the cert file on a http server works.

Is there a better way to do this? Maybe a fix/option to load certs from https locations? Or a way to more permenently or automatically pull the cert file?

I'm just looking for a way to not introduce a failure point into the phone system by having to load a cert file that might not always be accessible or change.

Dan Lukes · ‎05-12-2019

It looks like adding the let encrypt root certificate to the spa-112 lets this work.

Import of root CA certificate of certificate used is mandatory step of setup. No way to make it working without it.

But the spa-112 doesn't take https links https://letsencrypt.org/certs/trustid-x3-root.pem.txt, so putting the cert file on a http server works.

If you have no root certificate imported, then HTTPS connection is considered untrusted, so it fails. If you have root CA imported already, the HTTPS connection is possible, but unnecessary - you need not to import same CA certificate again.

In short - either you can't use https or you need not to use it.

Is there a better way to do this?

Import of root CA needs to be done once. It need not to be repeated unless phone is wiped to factory default state.

But yes, you can avoid all those issues - forget LetsEncrypt, use certificates issued by Cisco for the purpose. Required root CA is part of firmware, it needs not to be imported at all.

bb18 · ‎05-13-2019

@Dan Lukes wrote:
But yes, you can avoid all those issues - forget LetsEncrypt, use certificates issued by Cisco for the purpose. Required root CA is part of firmware, it needs not to be imported at all.

Outstanding, thank you for the detailed reply above.

Regarding forgetting LetsEncrypt and using certificates issues by Cisco, do you mean voip.ms on their side need to use the Cisco certificates? Not sure how likely it is voip.ms as a provider will be interested in changing the certs they use.

Any direction on where to point the voip.ms support team to look at making this change on their side?

I'm trying to bring all this information into one place to make this as easy as possible for anyone looking at making this a permanent change.

Dan Lukes · ‎05-13-2019

Regarding forgetting LetsEncrypt and using certificates issues by Cisco, do you mean voip.ms on their side need to use the Cisco certificates?

It must be a misunderstanding. The original text says about voip.ms support: "They quickly responded by supplying an http URL to insert into the Voice Provisioning section and test as the Custom CA URL.". According it I assumed voip.ms is using http to deliver the configuration. I assumed you are trying to configure SPA112 by self, using own HTTP(S) server.

With third party server out of your's control, you have no choice but to import appropriate root CA via Custom CA URL. But it needs to be done once. I'm almost sure VOIP.MS will not switch certificate supplier from LetsEncrypt to Cisco. VOIP.MS supports not only Cisco's phones it supports wide range of vendors so Cisco's certificate is not solution for VOIP.MS.

I'm trying to bring all this information into one place to make this as easy as possible for anyone looking at making this a permanent change.

Most of information I mentioned are taken from Administrators guide.

EdwardStavin0689 · ‎05-13-2019

Hi Dan. Thank you for the advice to read Debug and syslog Messages from SPA1x2 I did not realize there were two different places to set logs on the SPA device. I recall reading the output of the one I posted and thought it somewhat light on detail but then I was new to this device. That is when I thought to ask the forum.

To make a long story short yes the carrier supplied an HTTP URL for the custom CA URL field for testing.

I got wireshark going for a second go around. After the test this past weekend failed it was discovered today they made an honest error in implementing the certificate. That was fixed up this afternoon. As of about half an hour ago the SPA112 has successfully registered with TLS and a few test calls have been made. Once the error was found and corrected all I had to do was remove the custom CA URL, reboot the device and reinstall the same custom CA URL. I don't know if the reboot was necessary but I figured it could not hurt after all the messing around.

Thank you everyone.

Edward

TomStr5786630 · ‎05-13-2019

Sorry, new here. Trying to setup TLS on SPA112.

I received my cert file from Voip.ms today. Not sure what I'm missing. I understand I simply had to host this .pem file and it should work. So I hosted on internal server like http://myinternalip/client_cert.pem and specified path in Provisioning > Custom CA URL:

Would this suffice or am I totally off and should just give up now? :)

Anyone want to spell out the steps they took to get this working?

EdwardStavin0689 · ‎05-13-2019

Hi TomStr5786630. Initially the carrier supplied me with a cert file as well. After I supplied them with Cisco documentation indicating that the device did not have a way to make use of the file they supplied me with an HTTP url to install in the Voice>Provisioning>Custom CA URL field. This was to test. Unfortunately the initial certificate had an error in it and did not work... does not matter whether it was you hosting or them hosting. This got fixed today and now it works. So I imagine their next step is to write up the solution and implement it at their end and spread the word.

I would just put this whole thing on hold until the carrier supplies you the required http URL that leads to the correct certificate for city#.voip.ms proxy you are using. As the tech support people just figured this out today it will probably take a day or two for the word to spread to the call centre staff of the correct solution.

Once you have the URL the only other things to do are 1) switch the SIP Transport settings on Line 1 from UDP to TLS and 2) the port from 5060 to 5061 on Line 1 or one of the other approved ports in TLS set up instructions from voip.ms. 3) Check Supplementary Service Subscription Secure call serve on Line 1 is set to YES. 4) Then go to User1 and set Secure Call Setting to YES. 5) There is also a setting on Voice>SIP>SIP Parameter>SIP TCP Port MAX that is probably set to 5080. I don't know for sure but it would not hurt to set it to 5081... not sure how TCP and TLS make use of this here but there is a chance it would use port 5081.. maybe someone here with more experience could comment if this is actually necessary. I figured it cant hurt. Of course you also have to go to your voip.ms account and change the advanced setting on your subaccount from encrypt NO to YES.

That is the sum total of what I used to make it work once they fixed the certificate issue.

Edward

TomStr5786630 · ‎05-14-2019

Thanks Edward. Glad to see I've done things correctly. I will get back to voip.ms support in a bit to see what's happening with their solution ... Like you said, maybe a little more time until they figure out a better solution and have the details posted.

Tom

TomStr5786630 · ‎05-14-2019

Looks like the CA Cert and solution has been posted on Voip.ms Wiki here: https://wiki.voip.ms/article/Cisco_SPA112#Configuring_a_Voice_line_using_TLS
Successfully connected via TLS.