Sangoma S serie - TLS ciphers incompatibility

I have a sangoma S500.
There is a problem with its firmware about TLS : the phone seems to not be compatible with latest TLS ciphers.

For me the problem happens when I try to configure autoprovisioning.
If I set the phone to provision on my FreePBX using HTTP, there is no problem.
But I’m trying to do autoprovisioning with HTTPS. My FreePBX server is behind a reverse proxy with classic but strong TLS and cipher configuration.
If I configure autoprovisionning using my proxy HTTPS adress which is proxying to my FreePBX server on HTTP port 84, the provisioning doesn’t work.

So I did a packet capture with Wireshark of my Sangoma S500 booting.
I can see it’s trying to connect to my HTTPS address on my proxy, but it fail during the TLS initial handshake.
By looking at the capture I can see that the Sangoma S500 advertise those ciphers during the client hello in this handshake :

  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
  • TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  • TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

But those ciphers are considered weak and are not supposed to be used anymore.
For reference here are the supported recent ciphers on my proxy :

  • TLS_AES_128_GCM_SHA256 (0x1301)
  • TLS_AES_256_GCM_SHA384 (0x1302)
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303)
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

Does someone know if there is a solution for this ?
Could someone at Sangoma make a new firmware / update ?

I can give packet capture if needed.


The S500 was EOL 8 years ago now. The 505 replaced it. Doubt anyone would offer firmware for a phone that was EOL 8 years ago.

I know the S500 is old, but it looks that Sangoma realise firmware for the entire S series product range at the same time, S500 and S505 included : Phone Firmware Release Notes
So I think this problem is also present in the S505. If someone could do a packet capture of the S505 autoprovisioning we could verify.
The latest update is only 1 year ago.
I think this is a security issue because this problem means that sangoma S series phones uses vulnerable TLS communication (probably not only for provisioning).

I think only @lgaetz could answer if they are still doing new firmware for any of the S Series phones since they were Officially End of a Life a year or more ago now.

1 Like

All S series devices are EOL, the last of them in late 2022.

There will be no firmware releases for new features/enhancements.

1 Like

It’s unlikely to find firmware support for a phone that reached its end of life (EOL) eight years ago, especially since it was replaced by a newer model.

1 Like

Ok thanks for your answers.
At least this thread documents the problem so futur people will understand why thoses phones cannot connect on newer HTTPS site/provisioning (it took me hours to find why it was not working).

I will try to have a look at the latest firmware, we are able to decompress it with “binwalk -e” but I have very little hope

Once I have everything working, I never update, never ever. Update just breaks things that were once working.

I have both S500 and S505 deployed on a system that are currently using (November 5, 2017)

TLS provisioning is working on that firmware version.

So you just basically stated you are going to reverse engineer the firmware in a public forum for a company whose End User License states you are not allowed to do such a thing?

I did not see this as reverse engineering (which is by the way legal in my country for compatibility reason). If this is a problem I will not do this (I do not have the time for this either)

Not sure what country you are in but “most” countries allow for reverse engineering unless Terms of Service explicitly do not allow for it. That is something that you and your lawyer would have to determine the legality of and also did Sangoma export to your country or did you choose to import and when you import the laws of the Terms of Service you agree to and the country in which those Terms of Service are drawn under would have venue.

I will not try this, even if I think this is a shity move from a company

I did not say you can’t do it. I just said you need to understand your terms of service and what the laws are. Every country and needs are different. I was posting in general since you posted about decompiling the firmware and others will read this. I don’t work or speak for Sangoma but I know their end user license agreements very well.

In any case I thank you for pointing this legal terms (honestly I did not think about this at all in the first place)

The EU provides a limited right to reverse engineer that can only be avoided by providing legitimate and reasonable means of obtaining the information that is allowed to be obtained by reverse engineering. It is intended to prevent the creation of anti-competitive. closed, ecosystems, not to enable re-implementation, and doesn’t give the right to publish the information obtained.

At least that’s how I remember it, although I’ve never been involved in taking advantage of it.

I assume this is still in UK legislation.

The article 5 part of this seems to apply to black box reverse engineering, which is something people are often advised to do in these forums (if you want to know performance, bench mark; if you want to know fine details of behaviour try test cases).