10-08-2014, 11:34 PM
I believe I have found a defect in the Yealink T20 X.509 CN validation process. Is a workaround possible?
I have a Yealink T20 with the following configuration:
I have configured the device with a CA which authenticates the following server certificate...
If I set the following parameters under the Security tab, the device registers and handles calls correctly.
However, if I switch Common Name Validation to Enabled, the device will not register. When I inspect the device's syslog, I find the following entries.
For my applications, the ability to validate server certificates is highly desired. Please advise.
I have a Yealink T20 with the following configuration:
Quote:Firmware Version - 9.71.0.140
Hardware Version - 7.0.1.61
Register Name - 52
User Name - 52
Outbound Proxy - Enabled
Outbound Proxy Server - ekahau.nh.local
Transport - TLS
Sip Server 1/Server Host - ekahau.nh.local
I have configured the device with a CA which authenticates the following server certificate...
Quote:Certificate:
Data:
Version: 3 (0x2)
Serial Number: 30 (0x1e)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Network Harbor Inc, OU=Software Testing CA
Validity
Not Before: Oct 8 14:59:03 2014 GMT
Not After : Oct 7 14:59:03 2016 GMT
Subject: CN=ekahau.nh.local, O=nh.local, OU=Software Testing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
*snip*
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
01:16:8B:99:64E:15:79:82:52:BE:FD:C2:F1:A9:95
X509v3 Authority Key Identifier:
keyid:A4:9C:73
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.20
X509v3 Subject Alternative Name:
DNS:ekahau.nh.local
Signature Algorithm: sha1WithRSAEncryption
*snip*
If I set the following parameters under the Security tab, the device registers and handles calls correctly.
Quote:Only Accept Trusted Certificates - Enabled
Common Name Validation - Disabled
CA Certificates - Custom Certificates
However, if I switch Common Name Validation to Enabled, the device will not register. When I inspect the device's syslog, I find the following entries.
Quote:Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] SSL_connect succeeded
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] SSL_is_init_finished done
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] tls_connect: remote certificate: subject:/CN=ekahau.nh.local/O=nh.local/OU=Software Testing CA
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] tls_connect: remote certificate: issuer: /O=Network Harbor Inc/OU=Software Testing CA
Oct 8 15:20:46 SIP [493]: SDL <3+error > [001] Common name and subject alt name doesn't match host name
Oct 8 15:20:46 SIP [493]: SDL <5+notice> [001] common_name:ekahau.nh.local subject_alt_name:
Oct 8 15:20:46 SIP [493]: SDL <6+info > [001] Message sent: ...
For my applications, the ability to validate server certificates is highly desired. Please advise.