Certificate not trusted

[loop]

I have an OpenSIPS gateway with a bought TLS certificate (not self signed).
I am successfully able to connect T20 handsets and Windows Zoiper soft phones to the gateway. They both trust the certificate.

Unfortunately I can not get the W52P to trust the certificate. I have to set "Only Accept Trusted Certificates" to "Disabled".

I've tested the certificate by using it with Apache for a HTTPS site and all browsers from multiple operating systems see the certificate as trusted. This leads me to believe the certificate is valid.

Is there any guidance on what kinds of paid certificate the W52P is compatible with? Is this a bug with the phone or do I need to buy my TLS certificate from a particular vendor?

[loop]

I've been doing some further investigation and here is what I have found so far.

1. The T20 only worked because by default "Only Accept Trusted Certificates" was set to "Disabled". Enabling "Only Accept Trusted Certificates" caused the same problems as the W52P.

2. I tried installing the bought certificate in to the phones and neither phone would register to the server. Looking at the logs from both phones they said "Failed to validate certificate".

3. I installed the bought certificate in to Zoiper on my Macbook and that connected to the server fine.

4. I generated a self signed certificate for the server in question and installed that in to the T20 and the W52P and they both worked fine.

My suspicion is that the Yealink handsets do not understand certificates that have an "intermediate" certificate (otherwise known as chain certificates).

Has anyone had any success getting a Yealink handset to recognise a certificate with intermediate certificates?

[Yealink Support]

Hi loop,

We do not recommend users to use intermediate certificates. Hope you can understand it.

thanks

[loop]

(08-06-2014 05:01 PM)Yealink Support Wrote:  Hi loop,

We do not recommend users to use intermediate certificates. Hope you can understand it.

thanks

Thank you for the reply. This creates a problem though. As far as I'm aware you can't buy an SSL certificate without it using intermediates. They simply don't sell SSL certificates without intermediate certificates anymore.

Does Yealink have a recommended vendor for SSL certificates? Or are you indicating that Yealink phones only work with self signed certificates?

[JayPeg]

(08-06-2014 05:01 PM)Yealink Support Wrote:  Hi loop,

We do not recommend users to use intermediate certificates. Hope you can understand it.

thanks

Why do you not recommend intermediate certificates?

[loop]

(11-28-2014 07:03 PM)JayPeg Wrote:  

(08-06-2014 05:01 PM)Yealink Support Wrote:  Hi loop,

We do not recommend users to use intermediate certificates. Hope you can understand it.

thanks

Why do you not recommend intermediate certificates?

I've since spoken to another Yealink technician and provided more detailed logs. In the end they said it was the encryption format was not supported:

Quote:This is a certificate signature failure ,because our phone don't
support the signature algorithm of sha256RSA,that is “AlphaSSL CA -
SHA256 - G2.cer”.
We plan to support the signature algorithm of sha256RSA,but not now.
Please advise to use other signature algorithm like sha1RSA in server.

When I pushed for a fix for this I got:

Quote:On the timescales for the fix I am told it is likely to be at least Q1 next year but there is no date in place yet so this may move.

[JayPeg]

thanks for your reply loop, can I ask if you've managed to find a workaround at all? i can't provisioning any of my handsets without manually going into each of them and disabling the certificate and it seems like such an oversight by yealink.

[loop]

(11-28-2014 07:10 PM)JayPeg Wrote:  thanks for your reply loop, can I ask if you've managed to find a workaround at all? i can't provisioning any of my handsets without manually going into each of them and disabling the certificate and it seems like such an oversight by yealink.

In the end we generated our own root certificate and make our customers install it in whatever phone they are using if they want encryption. After doing testing with some soft phones and running in to issues using bought certificates we decided the only reliable way to make encryption work across all phones was to insist on the installation of our own root certificate.

[JayPeg]

(11-28-2014 07:14 PM)loop Wrote:  

(11-28-2014 07:10 PM)JayPeg Wrote:  thanks for your reply loop, can I ask if you've managed to find a workaround at all? i can't provisioning any of my handsets without manually going into each of them and disabling the certificate and it seems like such an oversight by yealink.

In the end we generated our own root certificate and make our customers install it in whatever phone they are using if they want encryption. After doing testing with some soft phones and running in to issues using bought certificates we decided the only reliable way to make encryption work across all phones was to insist on the installation of our own root certificate.

but thats still a manual step of installing the certificate on the phone right?
how does that work for you with large deployments of yealink handsets?

[loop]

(12-01-2014 07:47 PM)JayPeg Wrote:  

(11-28-2014 07:14 PM)loop Wrote:  

(11-28-2014 07:10 PM)JayPeg Wrote:  thanks for your reply loop, can I ask if you've managed to find a workaround at all? i can't provisioning any of my handsets without manually going into each of them and disabling the certificate and it seems like such an oversight by yealink.

In the end we generated our own root certificate and make our customers install it in whatever phone they are using if they want encryption. After doing testing with some soft phones and running in to issues using bought certificates we decided the only reliable way to make encryption work across all phones was to insist on the installation of our own root certificate.

but thats still a manual step of installing the certificate on the phone right?
how does that work for you with large deployments of yealink handsets?

Yep. It makes large deployments a little more time consuming but we don't do them very often so it isn't too big an issue.