+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: General topics (/forumdisplay.php?fid=15)
+--- Thread: Establishing mutual TLS with Kamailio (/showthread.php?tid=2730)
Pages: 1 2
Establishing mutual TLS with Kamailio - marco.capetta - 11-07-2014 07:19 PM
I have a Yealink T32G phone with firmware 32.70.23.6
I am trying to configure the phone in TLS with Kamailio proxy.
I was able to successfully configure TLS authentication by entering the CA of my Kamailio server in the Trusted Certificates of Yealink phone.
Now I would like to switch to mutual TLS. To do this I would need to have the Yealink CA that has trusted the phone pre-installed certificate.
Where can I download this Certificate Authority?
Thanks
Marco
RE: Establishing mutual TLS with Kamailio - James_Yealink - 11-07-2014 07:39 PM
Hi Macro,
I attach the certificate please check.
Regards,
James
RE: Establishing mutual TLS with Kamailio - marco.capetta - 11-07-2014 09:59 PM
Thanks for the quick response.
I imported the certificate that you have kindly provided me, but I still have connection problems.
It seems that the Yealink phone does not provide to the server its certificate during the TLS handshake, in fact I get the following error from the Kamailio logs:
"ERROR: tls [tls_server.c 1186]: tls_read_f (): TLS accept: error: 140890C7: SSL routines: SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate".
I tried to export the phone certificate from phone HTTPS web interface, and I get the certificate that you can find attached.
If I try to verify this certificate using the CA you provided me, I get the error:
"error 20 at 0 depth lookup: unable to get local issuer certificate"
I must also import some intermediate CA?
Do I need to set something in particular on the phone?
Thanks again
Marco
RE: Establishing mutual TLS with Kamailio - marco.capetta - 11-14-2014 06:16 PM
Is there any update on this?
Thanks
Marco
RE: Establishing mutual TLS with Kamailio - James_Yealink - 11-14-2014 07:45 PM
Hi Macro,
Sorry for the late.
The error occurs when you register through TLS or do an autoprovision through HTTPS?
Can you set phone syslog to 6, reproduce the issue then send the log to us?
Regards,
James
RE: Establishing mutual TLS with Kamailio - marco.capetta - 11-18-2014 12:08 AM
Hi James,
I was able to successfully configure TLS authentication by entering the CA of my Kamailio server in the Trusted Certificates of Yealink phones.
The error occurs instead when I try to switch to mutual TLS.
As you requested, I am attaching the export syslog at level 6.
Regards,
Marco
RE: Establishing mutual TLS with Kamailio - marco.capetta - 12-02-2014 12:54 AM
Is there any update on this?
Thanks
Marco
RE: Establishing mutual TLS with Kamailio - James_Yealink - 12-02-2014 05:28 PM
Hi Marco,
From the syslog it seems that phone can't read the client certificate. Please make sure that the "Device Certificate" is set to "Default Certificate" under Security-> Server Certificate.
If the default certificate doesn't work either. Can you generate a new Server certificate and Client certificate and import them to server/phone then check again?
Regards,
James
RE: Establishing mutual TLS with Kamailio - marco.capetta - 12-02-2014 07:06 PM
In the phone's web interface there is not the parameter "Device Certificate" under "Security -> Server Certificate" (see attached screenshot).
I want you to remember that currently the phone has firmware "32.70.X".
This version supports device certificates? Or is needed version "32.71.X" or "32.72.X"?
In the latter case, where can I find these firmware?
Thanks again of the support.
Marco
RE: Establishing mutual TLS with Kamailio - James_Yealink - 12-03-2014 01:58 PM
Macro,
Please import this certificate under Security-> Server Certificate and check again.
The firmware may not have a built-in client certificate.
Regard,
James