A few days ago, my SIP provider (the ever reliable VoIP.ms) rolled out TLS+SRTP support. As much as I like their service, it was about time.
Following their wiki, I was able to make my Android smartphone work with TLS. Sadly, the Android SIP stack does not support TLS and I had to migrate to Linphone. It's a small price to pay for greatly increased security, but the Linphone interface and integration to the rest of the OS isn't as good.
I did have a lot of trouble getting my old Cisco SPA112 ATA working with TLS though. Although I setup the device correctly, I couldn't get it to register.
As always, the VoIP.ms support staff was incredibly helpful and reproduced the error I was getting in their lab1. Apparently, the trouble spawns from the latest firmware (1.4.1 SR3). After downgrading to 1.4.1 SR1, I was able to have the device successfully register with TLS.
Note that since SRTP is mandatory with TLS on VoIP.ms's servers, you'll need to
Secure Call Serv option in the
Line 1 menu and the
Setting in the
User 1 menu in addition of changing the protocol and the port.
If like me you had the device running a more recent firmware version and want to downgrade, you will have to disable the HTTPS web interface since the snakeoil certificate used interferes with the firmware upgrade process.
One of the changes in 1.4.1 SR3 firmware is that the SPA112 now validates TLS certificates, as per issue CSCvm49157 in the release notes. The problem I had with being unable to register the device was being caused by a missing Let’s Encrypt root certificate in its certificate store.
Thanks to Michael Davie for pointing this out to me! It turns out VoIP.ms also
did their job and updated their documentation to include a section on
adding a new root CA cert to the device. Sadly, the link they provide on their
wiki is a plain HTTP one. I'd recommend you use the LE Root CA directly:
One last thing: if like me you wondered what the heck was the new beep beep sound during the call, it turns out it's the "Secure Call Indication Tone". You can turn it off by following these instructions.
Yes, you heard that right: they have a lab on hand with tons of devices so that they can help you debug your problems live. ↩