CISCO SPA112/122 with TLS on FreePBX

Hi all,

Does anybody have experience in setting SPA112/122 as an extension with TLS encryption? I’m able to register the device without encryption (UDP) as a pjsip extension but this doesn’t work when I enable TLS. I have no issues when using Zoiper on my Android device as a client.

The configuration changes that I’ve done on the SPA are:

Voice > Line1
SIP settings: SIP transport = TLS, SIP port = 5061

There is also the matter of importing the CA within SPA122. As the interface only allows me to introduce a link (Voice > Provisioning > CA Settings > Custom CA URL), how can I make my Let’s Encrypt certificate visible so that it can be imported by my SPA?

Thanks!
Bogdan

What do the Custom CA Status fields show?

The issue is going to be the fact this is now an EOL device and the last firmware update was in 2019. Starting in 2020 there was a mass push to deprecate and get rid of anything under TLS1.1. Over the last two years they have introduced new algorithms and ciphers along with removing old versions of the same. In fact Let’s Encrypt just had an older CA pulled on Oct 31st that still had TLS1.1 and lower support.

So any device that hasn’t seen an update in the last two years that addresses this will not have the compatibility with newer certificates that are being issued. I have said this before but will keep saying this, using anything less than TLS1.2 is considered insecure. There are known exploits and issues with the older SSL/TLS versions that will not be touched in those versions. That means anyone can exploit those things.

I know there are some providers or others out there that are enabling/running older versions of OpenSSL so they have have TLS1.1 or lower support. While that placates to the users with older devices this will not be something that can be sustained long term as newer OpenSSL versions are removing that option and support. This means newer OS versions will not be able to support this.

So while there is this part of the road that you can still use older SSL/TLS it is not going to be a long stretch of road. That means people will need to make a choice, update to devices that support TLS1.2+, get into the non-TLS lane or pull off the road and never move forward again because it means losing support for older SSL/TLS.

Only one of those three options offers actual security.

1 Like

Thanks for the feedback.

According to https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/csbpvga/spa100-200/release/spa100-rn-1-3-5.html we notice:

Changes in Firmware Version 1.3.5

For the Cisco SPA112/SPA122, following are the changes in the firmware version 1.3.5:

  • The open Secure Sockets Layer (SSL) open source library used in the ATA is upgraded to 1.0.1g in order to support TLS 1.2.
  • LED pattern added specifically for RC status in SPA122-RC to allow users to view and monitor the RC process.
  • The SIP parameter “Hook Flash MIME Type” is set to application/broadsoft so that the Broadsoft server recognizes the flashhook event.

The current FW release is 1.4.1 SR5 so TLS 1.2 support should already be implemented. Or I’m missing something?

Yes, all the changes since then. It doesnt have the current changes and is missing newer pieces.

TLS 1.2 was defined in RFC5246 in August 2008 while SPA112/122 v1.4.1SR5 firmware was released in October 2019. My feeling is that there should be no issue supporting TLS 1.2.

My problem is that I haven’t worked with SPA112 before and I’m not sure how to set it up for encryption.

That may be the case but the facts are that there has been changes to TLS in the last two years. My previous posts cover this. The SPA112 doesn’t have current and proper CAs, might be missing algorithms or ciphers that are being used now. There would need to be a firmware update to support these changes.

As for setting up the SPA112, you set it up just like you would if it was UDP but you set the SIP Transport to TLS and use the TLS port the PBX is listening on in the Proxy field so ipaddress:5061 for example. The TLS cert should be installed and used at the PBX, the phone shouldn’t need anything in that regards.

1 Like

The TLS cert should be installed and used at the PBX, the phone shouldn’t need anything in that regards.

This is the missing piece of my puzzle :wink: Since my SPA112 expects a link, which link should I put there so that the device is able the retrieve the certificate?

Unless you request to check the client’s certs , that should not be a problem, the client just needs to negociate and accept the server’s cert

I know, this is how Zoiper works. So basically I don’t need to put anything in Voice > Provisioning > CA Settings > Custom CA URL?

It doesn’t show anything much

image

Somebody from CISCO community advised:

Certificate of trusted root needs to be configured as “Custom CA”. Only single CA can be configured trusted at the same time. Intermediate certificates, if necessary, needs to be sent by server during TLS setup.

According to Let’s Encrypt

Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1.

Any ideas?

Have you tried to set this up yet? And if so what issues are you actually having?

It’s not working. I tried to set my Custom CA URL to https://letsencrypt.org/certificates/ namely ISRG Root X1 (isrgrootx1.pem) but all I get is:

[2021-11-08 10:50:20] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> <SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca> len: 0 peer: xx.xx.xx.xxx:5078

So the certificate isn’t working.

Anybody had any experience setting up SPA112 for FreePBX with TLS?

How about when you dont touch that, leave Its alone and do a basic setup as I explained. TLS on a SPA112 works fine the last time I used it. I didn’t touch the CA stuff.

That’s what I did first. Didn’t work.

Started from scratch: Factory reset then account set-up

image

But…

image

And

image

Show some actual debugs from the system. We need to see what is happening. Also, the SIP Port setting in the SPA112 is what it listens on not the port to connect to. As I previously said, the Proxy field where you put the IP of the PBX needs to have the port there. So if the IP is 192.168.1.10 then it’s 192.168.1.10:5061

Ok, noted and applied.

However SPA112 still doesn’t connect. Asterisk shows the following messages:

SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca> en: 0 peer: xxx:5065

SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca

I’ve set up the log modules as follows:

image

But the logs come out empty.

The error you are getting is because the server and the client, in this case FreePBX and the SPA112, cannot complete the TLS handshake. One of the key reasons being one side does not support the same TLS versions.

While these both can support TLS1.2 one of these devices doesn’t have updates from the last two years.

Makes sense. I will try to fall back to TLS v1.1 and see if there is any improvement. I realize the security implications but this is a hobby project so there isn’t too much sensitive info sent around.