Does anybody have experience in setting SPA112/122 as an extension with TLS encryption? I’m able to register the device without encryption (UDP) as a pjsip extension but this doesn’t work when I enable TLS. I have no issues when using Zoiper on my Android device as a client.
The configuration changes that I’ve done on the SPA are:
Voice > Line1
SIP settings: SIP transport = TLS, SIP port = 5061
There is also the matter of importing the CA within SPA122. As the interface only allows me to introduce a link (Voice > Provisioning > CA Settings > Custom CA URL), how can I make my Let’s Encrypt certificate visible so that it can be imported by my SPA?
The issue is going to be the fact this is now an EOL device and the last firmware update was in 2019. Starting in 2020 there was a mass push to deprecate and get rid of anything under TLS1.1. Over the last two years they have introduced new algorithms and ciphers along with removing old versions of the same. In fact Let’s Encrypt just had an older CA pulled on Oct 31st that still had TLS1.1 and lower support.
So any device that hasn’t seen an update in the last two years that addresses this will not have the compatibility with newer certificates that are being issued. I have said this before but will keep saying this, using anything less than TLS1.2 is considered insecure. There are known exploits and issues with the older SSL/TLS versions that will not be touched in those versions. That means anyone can exploit those things.
I know there are some providers or others out there that are enabling/running older versions of OpenSSL so they have have TLS1.1 or lower support. While that placates to the users with older devices this will not be something that can be sustained long term as newer OpenSSL versions are removing that option and support. This means newer OS versions will not be able to support this.
So while there is this part of the road that you can still use older SSL/TLS it is not going to be a long stretch of road. That means people will need to make a choice, update to devices that support TLS1.2+, get into the non-TLS lane or pull off the road and never move forward again because it means losing support for older SSL/TLS.
Only one of those three options offers actual security.
TLS 1.2 was defined in RFC5246 in August 2008 while SPA112/122 v1.4.1SR5 firmware was released in October 2019. My feeling is that there should be no issue supporting TLS 1.2.
My problem is that I haven’t worked with SPA112 before and I’m not sure how to set it up for encryption.
That may be the case but the facts are that there has been changes to TLS in the last two years. My previous posts cover this. The SPA112 doesn’t have current and proper CAs, might be missing algorithms or ciphers that are being used now. There would need to be a firmware update to support these changes.
As for setting up the SPA112, you set it up just like you would if it was UDP but you set the SIP Transport to TLS and use the TLS port the PBX is listening on in the Proxy field so ipaddress:5061 for example. The TLS cert should be installed and used at the PBX, the phone shouldn’t need anything in that regards.
The TLS cert should be installed and used at the PBX, the phone shouldn’t need anything in that regards.
This is the missing piece of my puzzle Since my SPA112 expects a link, which link should I put there so that the device is able the retrieve the certificate?
Certificate of trusted root needs to be configured as “Custom CA”. Only single CA can be configured trusted at the same time. Intermediate certificates, if necessary, needs to be sent by server during TLS setup.
Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1.
How about when you dont touch that, leave Its alone and do a basic setup as I explained. TLS on a SPA112 works fine the last time I used it. I didn’t touch the CA stuff.
Show some actual debugs from the system. We need to see what is happening. Also, the SIP Port setting in the SPA112 is what it listens on not the port to connect to. As I previously said, the Proxy field where you put the IP of the PBX needs to have the port there. So if the IP is 192.168.1.10 then it’s 192.168.1.10:5061
The error you are getting is because the server and the client, in this case FreePBX and the SPA112, cannot complete the TLS handshake. One of the key reasons being one side does not support the same TLS versions.
While these both can support TLS1.2 one of these devices doesn’t have updates from the last two years.
Makes sense. I will try to fall back to TLS v1.1 and see if there is any improvement. I realize the security implications but this is a hobby project so there isn’t too much sensitive info sent around.