[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CA issues
Author Message
lonvoice Offline
Junior Member
**

Posts: 35
Joined: May 2015
Reputation: 0
Post: #1
CA issues
Trying to get auto provisioning zero touch via rps working.

We've purchased an SSL certificate from Thawte, as this was on the list of supported CAs:

Code:
 Thawte Personal Freemail CA
 Thawte Premium Server CA
 Thawte Primary Root CA - G1 (EV)
 Thawte Primary Root CA - G2 (ECC)
 Thawte Primary Root CA - G3 (SHA256)
 Thawte Server CA

And the cert looks ok if I browse to our server:

   

But it doesn't auto configure. I know it's the certificate / CA that is the issue, as if I disable trusted certificates:

   

...it works fine. Why is it not recognising the CA here?
05-25-2015 09:14 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #2
RE: CA issues
Hi ,
Please help check whether your server certificate use Signature algorithm 256.
Currently Yealink phones only can support signature algorithm 128 , the next big version V80 can support 256.
Would you please help check ?
Best Regards!
Flora
05-25-2015 10:26 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
lonvoice Offline
Junior Member
**

Posts: 35
Joined: May 2015
Reputation: 0
Post: #3
RE: CA issues
Hi Flora

I'm not sure where to check this? Yealink's document says that SHA256 is supported on G3, see above? Is that not where you mean then?

I'm running on apache2 if that makes any difference. The certificate was generated by Thawte and they didn't ask me what type to generate?!
05-25-2015 10:37 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #4
RE: CA issues
hi ,
Sorry , I not familar with the server certificate, would you please check the details of the certificate? or you can send us the pcap trace that I can check it in my side.
Only the version higher than V73 can support the Sha256.
and if your server can't use the certificate, please send us the config of the Apache, if the phone fail in the TLS process, please send us the config.bin of the phone, pcap trace and level 6 syslog.

Flora
(This post was last modified: 05-25-2015 11:56 PM by Flora_Yealink.)
05-25-2015 11:54 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
lonvoice Offline
Junior Member
**

Posts: 35
Joined: May 2015
Reputation: 0
Post: #5
RE: CA issues
Ok so I've found out it's a SHA2-256 cert. I'm quite annoyed now, I've just spent a lot of money on this - first of all it didn't work because Yealink don't support the CA, and now another certificate, and it won't work because Yealink don't support the encryption level! What do you want from me?! I appreciate you have sorted the problem out in the next firmware but that doesn't really help us now does it?!
05-26-2015 04:16 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #6
RE: CA issues
HI ,
What is your phone model ? the V80 version for T2 ,T4 will be ready early June.
Best Regards!
Flora

Flora
FAE (Field Application Engineer) Department
Yealink Network Technology Co., Ltd.
Website: http://www.yealink.com
05-26-2015 04:45 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
lonvoice Offline
Junior Member
**

Posts: 35
Joined: May 2015
Reputation: 0
Post: #7
RE: CA issues
I've got my CA to change the cert to SHA1, should this be sufficient? It's still not working. It mentions AES256, so does that mean it won't work? My cert details (from Chrome) are as follows:

Code:
The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.

The identity of this website has been verified by Thawte DV SSL CA but does not have public audit records.

The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

Your connection to rps.myname.com is encrypted with obsolete cryptography.

The connection uses TLS 1.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.
05-26-2015 10:52 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #8
RE: CA issues
Hi,
Please make sure there won't be any SHA256 in your server certificate .and please let me know which phone model and phone version you used ?

you mentioned that after change it to Sha1 it still won't work, do you mean the phone still can't use the TLS ?in this case, please share us config.bin file , pcap trace and level 6 syslog that we can check.
Best Regards!
Flora
05-26-2015 11:31 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
lonvoice Offline
Junior Member
**

Posts: 35
Joined: May 2015
Reputation: 0
Post: #9
RE: CA issues
My test phone is T26 running 72 version firmware. The cert is now confirmed as 128.

This is strange:

Factory default = update skipped
Factory default, unplug power and reconnect = update skipped
Factory default, soft reboot using 'x' key = configuration updating!!

Is this a bug? Why would it need a soft reboot to accept the configuration update??
05-26-2015 11:45 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Flora_Yealink Offline
Senior Member
****

Posts: 265
Joined: Oct 2012
Reputation: 4
Post: #10
RE: CA issues
from your description, it seems you used the RPS version.
If you don't have preconfigured the RPS setting in the RPS server for the phone , it will show skip the update when reboot.
The RPS feature will be disabled once auto provisioning successfully once, it will only be enabled again when reset to factory default.

Factory default = update skipped
Factory default, unplug power and reconnect = update skipped
Factory default, soft reboot using 'x' key = configuration updating!!
when it show “ configuration updating " please make sure whether youhave configured the RPS or lcoal auto provisioning setting.
Best Regards!
Flora
05-27-2015 12:19 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Sad RPS & Autoprovisioning issues 247-support 1 7,423 07-12-2018 07:02 PM
Last Post: johnkiniston
  T21P E2 and T27P Issues with voice.tone.country Spadhausen 0 4,513 10-03-2017 03:54 PM
Last Post: Spadhausen
  T23G Auto Provisioning Issues Billyy 11 31,467 09-14-2017 06:43 AM
Last Post: Lucia_Yealink
  yealinkencrypt program issues entavoip 1 6,886 03-03-2016 10:43 AM
Last Post: Karl_Yealink
Sad Configuration Generation Tool - Issues DrewMan 1 7,017 06-27-2014 04:07 PM
Last Post: Yealink Support
  PNP Provisoning on V7 Firmware Issues baddah 5 17,438 09-16-2013 04:45 PM
Last Post: Yealink Support
  T32/T38 template issues with 3CX sunstatetech 4 24,464 05-18-2013 06:06 AM
Last Post: sunstatetech

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication