CA issues

[lonvoice]

Trying to get auto provisioning zero touch via rps working.

We've purchased an SSL certificate from Thawte, as this was on the list of supported CAs:

Code:

 Thawte Personal Freemail CA
 Thawte Premium Server CA
 Thawte Primary Root CA - G1 (EV)
 Thawte Primary Root CA - G2 (ECC)
 Thawte Primary Root CA - G3 (SHA256)
 Thawte Server CA

And the cert looks ok if I browse to our server:

   

But it doesn't auto configure. I know it's the certificate / CA that is the issue, as if I disable trusted certificates:

   

...it works fine. Why is it not recognising the CA here?

[Flora_Yealink]

Hi ,
Please help check whether your server certificate use Signature algorithm 256.
Currently Yealink phones only can support signature algorithm 128 , the next big version V80 can support 256.
Would you please help check ?
Best Regards!
Flora

[lonvoice]

Hi Flora

I'm not sure where to check this? Yealink's document says that SHA256 is supported on G3, see above? Is that not where you mean then?

I'm running on apache2 if that makes any difference. The certificate was generated by Thawte and they didn't ask me what type to generate?!

[Flora_Yealink]

hi ,
Sorry , I not familar with the server certificate, would you please check the details of the certificate? or you can send us the pcap trace that I can check it in my side.
Only the version higher than V73 can support the Sha256.
and if your server can't use the certificate, please send us the config of the Apache, if the phone fail in the TLS process, please send us the config.bin of the phone, pcap trace and level 6 syslog.

Flora

[lonvoice]

Ok so I've found out it's a SHA2-256 cert. I'm quite annoyed now, I've just spent a lot of money on this - first of all it didn't work because Yealink don't support the CA, and now another certificate, and it won't work because Yealink don't support the encryption level! What do you want from me?! I appreciate you have sorted the problem out in the next firmware but that doesn't really help us now does it?!

[Flora_Yealink]

HI ,
What is your phone model ? the V80 version for T2 ,T4 will be ready early June.
Best Regards!
Flora

[lonvoice]

I've got my CA to change the cert to SHA1, should this be sufficient? It's still not working. It mentions AES256, so does that mean it won't work? My cert details (from Chrome) are as follows:

Code:

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.

The identity of this website has been verified by Thawte DV SSL CA but does not have public audit records.

The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

Your connection to rps.myname.com is encrypted with obsolete cryptography.

The connection uses TLS 1.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

[Flora_Yealink]

Hi,
Please make sure there won't be any SHA256 in your server certificate .and please let me know which phone model and phone version you used ?

you mentioned that after change it to Sha1 it still won't work, do you mean the phone still can't use the TLS ?in this case, please share us config.bin file , pcap trace and level 6 syslog that we can check.
Best Regards!
Flora

[lonvoice]

My test phone is T26 running 72 version firmware. The cert is now confirmed as 128.

This is strange:

Factory default = update skipped
Factory default, unplug power and reconnect = update skipped
Factory default, soft reboot using 'x' key = configuration updating!!

Is this a bug? Why would it need a soft reboot to accept the configuration update??

[Flora_Yealink]

from your description, it seems you used the RPS version.
If you don't have preconfigured the RPS setting in the RPS server for the phone , it will show skip the update when reboot.
The RPS feature will be disabled once auto provisioning successfully once, it will only be enabled again when reset to factory default.

Factory default = update skipped
Factory default, unplug power and reconnect = update skipped
Factory default, soft reboot using 'x' key = configuration updating!!
when it show “ configuration updating " please make sure whether youhave configured the RPS or lcoal auto provisioning setting.
Best Regards!
Flora