About HTTPS certificates and trust - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: Auto Provisioning (/forumdisplay.php?fid=14) +--- Thread: About HTTPS certificates and trust (/showthread.php?tid=41843) |
About HTTPS certificates and trust - TrK - 05-24-2018 08:41 AM Our provisioning web server have Rapid SSL RSA wildcard certificate, which is trusted by default Yealink phone. Our DHCP server send OPTION 43 with https link. Everything is working good - we unbox new phone, connect it to network and viola, not need to logon on phone`s web interface. But our RSA certificate will be expired soon. We decide to switch to Let`sEncrypt ECC certificate. As i can see, Yealink phones by default have root LE cert "DST Root CA X3", but not have intermediate "Lets Encrypt Authority X3". What should i do with that? Set security.trust_certificates = 0? Add this Intermediate CA certificate to Trusted? But how new phones will get this settings without access to provisioning web server? And another related question, about format of Code: trusted_certificates.url What is solution when i need to add two (or three, or four) root certificate to Trusted? Should i add all to one file, like in chainfile? But this certs are from different CA. RE: About HTTPS certificates and trust - Travis_Yealink - 06-01-2018 02:19 AM (05-24-2018 08:41 AM)TrK Wrote: Our provisioning web server have Rapid SSL RSA wildcard certificate, which is trusted by default Yealink phone. Our DHCP server send OPTION 43 with https link. Everything is working good - we unbox new phone, connect it to network and viola, not need to logon on phone`s web interface. Dear customer, For this case, please find my answers below: 1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication 2. For the parameter, please create seperated parameters for different CA: static.trusted_certificates.url = http://10.91.80.50:8080/1.cer static.trusted_certificates.url = http://10.91.80.50:8080/2.cer Any question, freely to let me know. Regards, Travis RE: About HTTPS certificates and trust - TrK - 06-01-2018 10:50 AM (06-01-2018 02:19 AM)Travis Wrote: 1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication Tried to new wildcard ECC cert from LE, phone cannot make provision, error in phone log: Code: <134>Jun 1 10:38:16 ATP [1206]: DURL<6+info > [DCMN]I will write to file: /tmp/xxx.cfg RE: About HTTPS certificates and trust - Travis_Yealink - 06-04-2018 01:58 AM (06-01-2018 10:50 AM)TrK Wrote:(06-01-2018 02:19 AM)Travis Wrote: 1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication Dear customer, According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment) Solution: 1. Change the cipher to the supported one 2. use http By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list. Any question, freely to let me know. Regards, Yealink_Travis RE: About HTTPS certificates and trust - TrK - 06-04-2018 03:22 AM (06-04-2018 01:58 AM)Travis Wrote: According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment) Oh, i see. With new LE certificate server is only used TLS_ECDHE_ECDSA ciphers, so no RSA or DHE. No, we cannot use http :-(. So, we have some time before current certificate expiring, waiting for v84. By the way, what about same firmware updates for W56 and W60 Bases? We use it too. RE: About HTTPS certificates and trust - Travis_Yealink - 06-04-2018 06:30 AM (06-04-2018 03:22 AM)TrK Wrote:(06-04-2018 01:58 AM)Travis Wrote: According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment) Dear customer, I am sorry, the V84 supported models as below: 1、T2X(besides T27P、T29G) 2、T40P/T40G 3、T4XS 4、T5X(besides T52) 5、CP920 Regards, Travis RE: About HTTPS certificates and trust - TrK - 06-04-2018 09:17 AM (06-04-2018 06:30 AM)Travis Wrote: I am sorry, the V84 supported models as below: Not even T19 E2? Sad to hear it. Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers? RE: About HTTPS certificates and trust - Travis_Yealink - 06-04-2018 09:21 AM (06-04-2018 09:17 AM)TrK Wrote:(06-04-2018 06:30 AM)Travis Wrote: I am sorry, the V84 supported models as below: Dear customer, T19PE2 is actually on our T2X series, sorry for that misunderstanding, because there is only one "T1x", and we don't want to make a dediciated category for it. For DECT, I will check internally and get back to you later. Regards, Yealink_Travis RE: About HTTPS certificates and trust - Travis_Yealink - 06-05-2018 02:14 AM (06-04-2018 09:21 AM)Travis Wrote:(06-04-2018 09:17 AM)TrK Wrote:(06-04-2018 06:30 AM)Travis Wrote: I am sorry, the V84 supported models as below: Dear customer, I've told from our PD team that we will add DECT as well, but currently, we don't have schedule for it yet, propably on its V84(DECT phone has different pace of firmware schedule) Regards, Yealink_Travis |