Our provisioning web server have Rapid SSL RSA wildcard certificate, which is trusted by default Yealink phone. Our DHCP server send
OPTION 43 with http
s link. Everything is working good - we unbox new phone, connect it to network and viola, not need to logon on phone`s web interface.
But our RSA certificate will be expired soon. We decide to switch to Let`sEncrypt ECC certificate. As i can see, Yealink phones by default have root LE cert "
DST Root CA X3", but not have intermediate "
Lets Encrypt Authority X3".
What should i do with that? Set
security.trust_certificates = 0? Add this Intermediate CA certificate to Trusted?
But how
new phones will get this settings without access to provisioning web server?
And another related question, about format of
Code:
trusted_certificates.url
.
What is solution when i need to add two (or three, or four) root certificate to Trusted? Should i add all to one file, like in chainfile? But this certs are from different CA.
(05-24-2018 08:41 AM)TrK Wrote: [ -> ]Our provisioning web server have Rapid SSL RSA wildcard certificate, which is trusted by default Yealink phone. Our DHCP server send OPTION 43 with https link. Everything is working good - we unbox new phone, connect it to network and viola, not need to logon on phone`s web interface.
But our RSA certificate will be expired soon. We decide to switch to Let`sEncrypt ECC certificate. As i can see, Yealink phones by default have root LE cert "DST Root CA X3", but not have intermediate "Lets Encrypt Authority X3".
What should i do with that? Set security.trust_certificates = 0? Add this Intermediate CA certificate to Trusted?
But how new phones will get this settings without access to provisioning web server?
And another related question, about format of
Code:
trusted_certificates.url
.
What is solution when i need to add two (or three, or four) root certificate to Trusted? Should i add all to one file, like in chainfile? But this certs are from different CA.
Dear customer,
For this case, please find my answers below:
1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication
2. For the parameter, please create seperated parameters for different CA:
static.trusted_certificates.url =
http://10.91.80.50:8080/1.cer
static.trusted_certificates.url =
http://10.91.80.50:8080/2.cer
Any question, freely to let me know.
Regards,
Travis
(06-01-2018 02:19 AM)Travis Wrote: [ -> ]1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication
Tried to new wildcard ECC cert from LE, phone cannot make provision, error in phone log:
Code:
<134>Jun 1 10:38:16 ATP [1206]: DURL<6+info > [DCMN]I will write to file: /tmp/xxx.cfg
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]CURL Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]CURL Info: Unknown SSL protocol error in connection to company.com:443
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]Connect is short Cleanup curl.
<131>Jun 1 10:38:17 ATP [1206]: DURL<3+error > [DCMN]download common error, errcode:35.
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]download common error, remove file.
<131>Jun 1 10:38:17 ATP [1206]: ATP <3+error > https to file failed, code = -135, msg = , retry = 1
(06-01-2018 10:50 AM)TrK Wrote: [ -> ] (06-01-2018 02:19 AM)Travis Wrote: [ -> ]1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication
Tried to new wildcard ECC cert from LE, phone cannot make provision, error in phone log:
Code:
<134>Jun 1 10:38:16 ATP [1206]: DURL<6+info > [DCMN]I will write to file: /tmp/xxx.cfg
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]CURL Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]CURL Info: Unknown SSL protocol error in connection to company.com:443
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]Connect is short Cleanup curl.
<131>Jun 1 10:38:17 ATP [1206]: DURL<3+error > [DCMN]download common error, errcode:35.
<134>Jun 1 10:38:17 ATP [1206]: DURL<6+info > [DCMN]download common error, remove file.
<131>Jun 1 10:38:17 ATP [1206]: ATP <3+error > https to file failed, code = -135, msg = , retry = 1
Dear customer,
According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment)
Solution:
1. Change the cipher to the supported one
2. use http
By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list.
Any question, freely to let me know.
Regards,
Yealink_Travis
(06-04-2018 01:58 AM)Travis Wrote: [ -> ]According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment)
Solution:
1. Change the cipher to the supported one
2. use http
By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list.
Any question, freely to let me know.
Regards,
Yealink_Travis
Oh, i see.
With new LE certificate server is only used TLS_ECDHE_ECDSA ciphers, so no RSA or DHE.
No, we cannot use http :-(.
So, we have some time before current certificate expiring, waiting for v84.
By the way, what about same firmware updates for W56 and W60 Bases? We use it too.
(06-04-2018 03:22 AM)TrK Wrote: [ -> ] (06-04-2018 01:58 AM)Travis Wrote: [ -> ]According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment)
Solution:
1. Change the cipher to the supported one
2. use http
By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list.
Any question, freely to let me know.
Regards,
Yealink_Travis
Oh, i see.
With new LE certificate server is only used TLS_ECDHE_ECDSA ciphers, so no RSA or DHE.
No, we cannot use http :-(.
So, we have some time before current certificate expiring, waiting for v84.
By the way, what about same firmware updates for W56 and W60 Bases? We use it too.
Dear customer,
I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920
Regards,
Travis
(06-04-2018 06:30 AM)Travis Wrote: [ -> ]I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920
Not even T19 E2? Sad to hear it.
Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers?
(06-04-2018 09:17 AM)TrK Wrote: [ -> ] (06-04-2018 06:30 AM)Travis Wrote: [ -> ]I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920
Not even T19 E2? Sad to hear it.
Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers?
Dear customer,
T19PE2 is actually on our T2X series, sorry for that misunderstanding, because there is only one "T1x", and we don't want to make a dediciated category for it.
For DECT, I will check internally and get back to you later.
Regards,
Yealink_Travis
(06-04-2018 09:21 AM)Travis Wrote: [ -> ] (06-04-2018 09:17 AM)TrK Wrote: [ -> ] (06-04-2018 06:30 AM)Travis Wrote: [ -> ]I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920
Not even T19 E2? Sad to hear it.
Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers?
Dear customer,
T19PE2 is actually on our T2X series, sorry for that misunderstanding, because there is only one "T1x", and we don't want to make a dediciated category for it.
For DECT, I will check internally and get back to you later.
Regards,
Yealink_Travis
Dear customer,
I've told from our PD team that we will add DECT as well, but currently, we don't have schedule for it yet, propably on its V84(DECT phone has different pace of firmware schedule)
Regards,
Yealink_Travis