I don’t have a good strategy for TLS but believe that a good one is possible and would very much like to discuss it.
HTTPS for admin GUI and UCP is no problem; all modern browsers support SNI.
HTTPS for provisioning is an issue for some older devices without SNI. I believe that using HTTP with encrypted content is an adequate workaround; nearly all devices made in the last 15 years support it.
SIP over TLS is the big issue. I’d like to find a survey of IP phones, ATAs, softphones and SIP apps detailing which TLS features are supported. Requiring a client cert signed by the org is best, as that also defends against targeted attacks. SNI would be next best, but I suspect that most devices that don’t support the client cert don’t support SNI either.
Any ideas in this area would be most welcome.