Louis-Philippe Véronneau - siphttps://veronneau.org/2019-05-14T19:41:00-04:00TLS SIP support on the Cisco SPA112 ATA2019-05-09T00:00:00-04:002019-05-14T19:41:00-04:00Louis-Philippe Véronneautag:veronneau.org,2019-05-09:/tls-sip-support-on-the-cisco-spa112-ata.html<p>A few days ago, my SIP provider (the ever reliable <a href="https://voip.ms">VoIP.ms</a>) rolled
out TLS+SRTP support. As much as I like their service, it was about time.</p>
<p>Following their <a href="https://wiki.voip.ms/article/Call_Encryption_-_TLS/SRTP">wiki</a>, I was able to make my Android smartphone work
with TLS. Sadly, the Android SIP stack does not support …</p><p>A few days ago, my SIP provider (the ever reliable <a href="https://voip.ms">VoIP.ms</a>) rolled
out TLS+SRTP support. As much as I like their service, it was about time.</p>
<p>Following their <a href="https://wiki.voip.ms/article/Call_Encryption_-_TLS/SRTP">wiki</a>, I was able to make my Android smartphone work
with TLS. Sadly, the Android SIP stack does not support TLS and I had to
migrate to Linphone. It's a small price to pay for greatly increased security,
but the Linphone interface and integration to the rest of the OS isn't as good.</p>
<p>I did have a lot of trouble getting my old Cisco SPA112 ATA working with TLS
though. Although I setup the device correctly, I couldn't get it to register.</p>
<p>As always, the VoIP.ms support staff was incredibly helpful and reproduced the
error I was getting in their lab<sup id="fnref:1"><a class="footnote-ref" href="#fn:1">1</a></sup>. Apparently, the trouble spawns from the
latest firmware (1.4.1 SR3). After downgrading to 1.4.1 SR1, I was able to have
the device successfully register with TLS.</p>
<p>Note that since SRTP is mandatory with TLS on VoIP.ms's servers, you'll need to
active the <code>Secure Call Serv</code> option in the <code>Line 1</code> menu and the <code>Secure Call
Setting</code> in the <code>User 1</code> menu in addition of changing the protocol and the port.</p>
<p>If like me you had the device running a more recent firmware version and want to
downgrade, you will have to disable the HTTPS web interface since the snakeoil
certificate used interferes with the firmware upgrade process.</p>
<h3>2019-05-14 update</h3>
<p>One of the changes in 1.4.1 SR3 firmware is that the SPA112 now validates TLS
certificates, as per <a href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm49157">issue CSCvm49157</a> in the <a href="https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/csbpvga/spa100-200/release/source/spa112-122-rn-1-4-1-SR3/spa112-122-rn-1-4-1-SR3.html">release notes</a>.
The problem I had with being unable to register the device was being caused by
a missing Let’s Encrypt root certificate in its certificate store.</p>
<p>Thanks to Michael Davie for pointing this out to me! It turns out VoIP.ms also
did their job and <a href="https://wiki.voip.ms/article/Cisco_SPA112#Configuring_a_Voice_line_using_TLS">updated their documentation</a> to include a section on
adding a new root CA cert to the device. Sadly, the link they provide on their
wiki is a plain HTTP one. I'd recommend you use the LE Root CA directly:
<code>https://letsencrypt.org/certs/isrgrootx1.pem.txt</code></p>
<p>One last thing: if like me you wondered what the heck was the new <em>beep beep</em>
sound during the call, it turns out it's the "Secure Call Indication Tone". You
can turn it off by following <a href="https://wiki.voip.ms/article/Cisco_SPA112#Secure_Call_Indication_Tone">these instructions</a>.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:1">
<p>Yes, you heard that right: they have a lab on hand with tons of devices so
that they can help you debug your problems live. <a class="footnote-backref" href="#fnref:1" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>