Yealink Forums

Full Version: T20 TLS Config - Common Name Validation
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I believe I have found a defect in the Yealink T20 X.509 CN validation process. Is a workaround possible?

I have a Yealink T20 with the following configuration:
Quote:Firmware Version -
Hardware Version -
Register Name - 52
User Name - 52
Outbound Proxy - Enabled
Outbound Proxy Server - ekahau.nh.local
Transport - TLS
Sip Server 1/Server Host - ekahau.nh.local

I have configured the device with a CA which authenticates the following server certificate...
Version: 3 (0x2)
Serial Number: 30 (0x1e)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Network Harbor Inc, OU=Software Testing CA
Not Before: Oct 8 14:59:03 2014 GMT
Not After : Oct 7 14:59:03 2016 GMT
Subject: CN=ekahau.nh.local, O=nh.local, OU=Software Testing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
X509v3 Subject Key Identifier:
01:16:8B:99:64Big GrinE:15:79:82:52:BE:FD:C2:F1:A9:95Big Grin2:76:C0:18
X509v3 Authority Key Identifier:
keyid:A4:9C:73Big Grin4:A9:3B:33:26Big GrinA:34:78Big GrinA:49:45Big Grin1:77:77:B2:09:4A

X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication,
X509v3 Subject Alternative Name:
Signature Algorithm: sha1WithRSAEncryption

If I set the following parameters under the Security tab, the device registers and handles calls correctly.
Quote:Only Accept Trusted Certificates - Enabled
Common Name Validation - Disabled
CA Certificates - Custom Certificates

However, if I switch Common Name Validation to Enabled, the device will not register. When I inspect the device's syslog, I find the following entries.
Quote:Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] SSL_connect succeeded
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] SSL_is_init_finished done
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] tls_connect: remote certificate: subject:/CN=ekahau.nh.local/O=nh.local/OU=Software Testing CA
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] tls_connect: remote certificate: issuer: /O=Network Harbor Inc/OU=Software Testing CA
Oct 8 15:20:46 SIP [493]: SDL <3+error > [001] Common name and subject alt name doesn't match host name
Oct 8 15:20:46 SIP [493]: SDL <5+notice> [001] common_name:ekahau.nh.local subject_alt_name:
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] Message sent: ...

For my applications, the ability to validate server certificates is highly desired. Please advise.
Hi Janeuner,

Firstly please upgrade to V73 firmware and check again.

If the problem persist, please get a pcap/config.bin/level 6 syslog. Our R&D will do an analysis.

Today's V73 beta firmware did the job. Thanks!
Reference URL's