TLS SIP support on the Cisco SPA112 ATA

A few days ago, my SIP provider (the ever reliable VoIP.ms) rolled out TLS+SRTP support. As much as I like their service, it was about time.

Following their wiki, I was able to make my Android smartphone work with TLS. Sadly, the Android SIP stack does not support TLS and I had to migrate to Linphone. It's a small price to pay for greatly increased security, but the Linphone interface and integration to the rest of the OS isn't as good.

I did have a lot of trouble getting my old Cisco SPA112 ATA working with TLS though. Although I setup the device correctly, I couldn't get it to register.

As always, the VoIP.ms support staff was incredibly helpful and reproduced the error I was getting in their lab¹. Apparently, the trouble spawns from the latest firmware (1.4.1 SR3). After downgrading to 1.4.1 SR1, I was able to have the device successfully register with TLS.

Note that since SRTP is mandatory with TLS on VoIP.ms's servers, you'll need to active the Secure Call Serv option in the Line 1 menu and the Secure Call Setting in the User 1 menu in addition of changing the protocol and the port.

If like me you had the device running a more recent firmware version and want to downgrade, you will have to disable the HTTPS web interface since the snakeoil certificate used interferes with the firmware upgrade process.

2019-05-14 update

One of the changes in 1.4.1 SR3 firmware is that the SPA112 now validates TLS certificates, as per issue CSCvm49157 in the release notes. The problem I had with being unable to register the device was being caused by a missing Let’s Encrypt root certificate in its certificate store.

Thanks to Michael Davie for pointing this out to me! It turns out VoIP.ms also did their job and updated their documentation to include a section on adding a new root CA cert to the device. Sadly, the link they provide on their wiki is a plain HTTP one. I'd recommend you use the LE Root CA directly: https://letsencrypt.org/certs/isrgrootx1.pem.txt

One last thing: if like me you wondered what the heck was the new beep beep sound during the call, it turns out it's the "Secure Call Indication Tone". You can turn it off by following these instructions.