Yealink Forums

Yealink Forums > IP Phone Series > General topics > Establishing mutual TLS with Kamailio
Full Version: Establishing mutual TLS with Kamailio
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

marco.capetta

11-07-2014, 07:19 PM
I have a Yealink T32G phone with firmware 32.70.23.6
I am trying to configure the phone in TLS with Kamailio proxy.
I was able to successfully configure TLS authentication by entering the CA of my Kamailio server in the Trusted Certificates of Yealink phone.
Now I would like to switch to mutual TLS. To do this I would need to have the Yealink CA that has trusted the phone pre-installed certificate.
Where can I download this Certificate Authority?

Thanks
Marco

James_Yealink

11-07-2014, 07:39 PM
Hi Macro,

I attach the certificate please check.

Regards,
James

marco.capetta

11-07-2014, 09:59 PM
Thanks for the quick response.

I imported the certificate that you have kindly provided me, but I still have connection problems.
It seems that the Yealink phone does not provide to the server its certificate during the TLS handshake, in fact I get the following error from the Kamailio logs:
"ERROR: tls [tls_server.c 1186]: tls_read_f (): TLS accept: error: 140890C7: SSL routines: SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate".

I tried to export the phone certificate from phone HTTPS web interface, and I get the certificate that you can find attached.
If I try to verify this certificate using the CA you provided me, I get the error:
"error 20 at 0 depth lookup: unable to get local issuer certificate"

I must also import some intermediate CA?
Do I need to set something in particular on the phone?

Thanks again
Marco

marco.capetta

11-14-2014, 06:16 PM
Is there any update on this?

Thanks
Marco

James_Yealink

11-14-2014, 07:45 PM
Hi Macro,

Sorry for the late.
The error occurs when you register through TLS or do an autoprovision through HTTPS?
Can you set phone syslog to 6, reproduce the issue then send the log to us?

Regards,
James

marco.capetta

11-18-2014, 12:08 AM
Hi James,

I was able to successfully configure TLS authentication by entering the CA of my Kamailio server in the Trusted Certificates of Yealink phones.

The error occurs instead when I try to switch to mutual TLS.

As you requested, I am attaching the export syslog at level 6.

Regards,
Marco

marco.capetta

12-02-2014, 12:54 AM
Is there any update on this?

Thanks
Marco

James_Yealink

12-02-2014, 05:28 PM
Hi Marco,

From the syslog it seems that phone can't read the client certificate. Please make sure that the "Device Certificate" is set to "Default Certificate" under Security-> Server Certificate.

If the default certificate doesn't work either. Can you generate a new Server certificate and Client certificate and import them to server/phone then check again?

Regards,
James

marco.capetta

12-02-2014, 07:06 PM
In the phone's web interface there is not the parameter "Device Certificate" under "Security -> Server Certificate" (see attached screenshot).

I want you to remember that currently the phone has firmware "32.70.X".
This version supports device certificates? Or is needed version "32.71.X" or "32.72.X"?
In the latter case, where can I find these firmware?

Thanks again of the support.
Marco

James_Yealink

12-03-2014, 01:58 PM
Macro,

Please import this certificate under Security-> Server Certificate and check again.

The firmware may not have a built-in client certificate.

Regard,
James
Pages: 1 2
Yealink Forums > IP Phone Series > General topics > Establishing mutual TLS with Kamailio
Reference URL's