[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
About HTTPS certificates and trust
Author Message
TrK Offline
Junior Member
**

Posts: 11
Joined: Dec 2017
Reputation: 0
Post: #1
About HTTPS certificates and trust
Our provisioning web server have Rapid SSL RSA wildcard certificate, which is trusted by default Yealink phone. Our DHCP server send OPTION 43 with https link. Everything is working good - we unbox new phone, connect it to network and viola, not need to logon on phone`s web interface.

But our RSA certificate will be expired soon. We decide to switch to Let`sEncrypt ECC certificate. As i can see, Yealink phones by default have root LE cert "DST Root CA X3", but not have intermediate "Lets Encrypt Authority X3".

What should i do with that? Set security.trust_certificates = 0? Add this Intermediate CA certificate to Trusted?
But how new phones will get this settings without access to provisioning web server?


And another related question, about format of
Code:
trusted_certificates.url
.
What is solution when i need to add two (or three, or four) root certificate to Trusted? Should i add all to one file, like in chainfile? But this certs are from different CA.
(This post was last modified: 05-24-2018 08:53 AM by TrK.)
05-24-2018 08:41 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Travis_Yealink Offline
Super Moderator
******

Posts: 171
Joined: Mar 2016
Reputation: 1
Post: #2
RE: About HTTPS certificates and trust
(05-24-2018 08:41 AM)TrK Wrote:  Our provisioning web server have Rapid SSL RSA wildcard certificate, which is trusted by default Yealink phone. Our DHCP server send OPTION 43 with https link. Everything is working good - we unbox new phone, connect it to network and viola, not need to logon on phone`s web interface.

But our RSA certificate will be expired soon. We decide to switch to Let`sEncrypt ECC certificate. As i can see, Yealink phones by default have root LE cert "DST Root CA X3", but not have intermediate "Lets Encrypt Authority X3".

What should i do with that? Set security.trust_certificates = 0? Add this Intermediate CA certificate to Trusted?
But how new phones will get this settings without access to provisioning web server?


And another related question, about format of
Code:
trusted_certificates.url
.
What is solution when i need to add two (or three, or four) root certificate to Trusted? Should i add all to one file, like in chainfile? But this certs are from different CA.

Dear customer,

For this case, please find my answers below:
1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication
2. For the parameter, please create seperated parameters for different CA:
static.trusted_certificates.url = http://10.91.80.50:8080/1.cer
static.trusted_certificates.url = http://10.91.80.50:8080/2.cer

Any question, freely to let me know.

Regards,
Travis
06-01-2018 02:19 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
TrK Offline
Junior Member
**

Posts: 11
Joined: Dec 2017
Reputation: 0
Post: #3
RE: About HTTPS certificates and trust
(06-01-2018 02:19 AM)Travis Wrote:  1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication

Tried to new wildcard ECC cert from LE, phone cannot make provision, error in phone log:

Code:
<134>Jun  1 10:38:16 ATP [1206]: DURL<6+info  > [DCMN]I will write to file: /tmp/xxx.cfg
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]CURL Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]CURL Info: Unknown SSL protocol error in connection to company.com:443
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]Connect is short Cleanup curl.
<131>Jun  1 10:38:17 ATP [1206]: DURL<3+error > [DCMN]download common error, errcode:35.
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]download common error, remove file.
<131>Jun  1 10:38:17 ATP [1206]: ATP <3+error > https to file failed, code = -135, msg = , retry = 1
06-01-2018 10:50 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Travis_Yealink Offline
Super Moderator
******

Posts: 171
Joined: Mar 2016
Reputation: 1
Post: #4
RE: About HTTPS certificates and trust
(06-01-2018 10:50 AM)TrK Wrote:  
(06-01-2018 02:19 AM)Travis Wrote:  1. The root CA is exist, so please ask server provider to send sub-CA to the phone when it asks for the authentication

Tried to new wildcard ECC cert from LE, phone cannot make provision, error in phone log:

Code:
<134>Jun  1 10:38:16 ATP [1206]: DURL<6+info  > [DCMN]I will write to file: /tmp/xxx.cfg
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]CURL Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]CURL Info: Unknown SSL protocol error in connection to company.com:443
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]Connect is short Cleanup curl.
<131>Jun  1 10:38:17 ATP [1206]: DURL<3+error > [DCMN]download common error, errcode:35.
<134>Jun  1 10:38:17 ATP [1206]: DURL<6+info  > [DCMN]download common error, remove file.
<131>Jun  1 10:38:17 ATP [1206]: ATP <3+error > https to file failed, code = -135, msg = , retry = 1


Dear customer,

According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment)

Solution:
1. Change the cipher to the supported one
2. use http

By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list.

Any question, freely to let me know.

Regards,
Yealink_Travis


Attached File(s) Thumbnail(s)
   
06-04-2018 01:58 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
TrK Offline
Junior Member
**

Posts: 11
Joined: Dec 2017
Reputation: 0
Post: #5
RE: About HTTPS certificates and trust
(06-04-2018 01:58 AM)Travis Wrote:  According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment)

Solution:
1. Change the cipher to the supported one
2. use http

By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list.

Any question, freely to let me know.

Regards,
Yealink_Travis

Oh, i see.
With new LE certificate server is only used TLS_ECDHE_ECDSA ciphers, so no RSA or DHE.
No, we cannot use http :-(.
So, we have some time before current certificate expiring, waiting for v84.

By the way, what about same firmware updates for W56 and W60 Bases? We use it too.
06-04-2018 03:22 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Travis_Yealink Offline
Super Moderator
******

Posts: 171
Joined: Mar 2016
Reputation: 1
Post: #6
RE: About HTTPS certificates and trust
(06-04-2018 03:22 AM)TrK Wrote:  
(06-04-2018 01:58 AM)Travis Wrote:  According to your reply, I afraid the cause of this issue is the cipher you are using is not from supported 19 ciphers list. (See attachment)

Solution:
1. Change the cipher to the supported one
2. use http

By the way, we will enhance our cipher on our V84, schedule is around Sep, 2018, and if you want, please tell me what's the cipher you are using now, or provide me a PCAP, I will check for you if it's on our V84 list.

Any question, freely to let me know.

Regards,
Yealink_Travis

Oh, i see.
With new LE certificate server is only used TLS_ECDHE_ECDSA ciphers, so no RSA or DHE.
No, we cannot use http :-(.
So, we have some time before current certificate expiring, waiting for v84.

By the way, what about same firmware updates for W56 and W60 Bases? We use it too.


Dear customer,

I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920

Regards,
Travis
06-04-2018 06:30 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
TrK Offline
Junior Member
**

Posts: 11
Joined: Dec 2017
Reputation: 0
Post: #7
RE: About HTTPS certificates and trust
(06-04-2018 06:30 AM)Travis Wrote:  I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920

Not even T19 E2? Sad to hear it.
Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers?
06-04-2018 09:17 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Travis_Yealink Offline
Super Moderator
******

Posts: 171
Joined: Mar 2016
Reputation: 1
Post: #8
RE: About HTTPS certificates and trust
(06-04-2018 09:17 AM)TrK Wrote:  
(06-04-2018 06:30 AM)Travis Wrote:  I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920

Not even T19 E2? Sad to hear it.
Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers?


Dear customer,

T19PE2 is actually on our T2X series, sorry for that misunderstanding, because there is only one "T1x", and we don't want to make a dediciated category for it.

For DECT, I will check internally and get back to you later.

Regards,
Yealink_Travis
06-04-2018 09:21 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Travis_Yealink Offline
Super Moderator
******

Posts: 171
Joined: Mar 2016
Reputation: 1
Post: #9
RE: About HTTPS certificates and trust
(06-04-2018 09:21 AM)Travis Wrote:  
(06-04-2018 09:17 AM)TrK Wrote:  
(06-04-2018 06:30 AM)Travis Wrote:  I am sorry, the V84 supported models as below:
1、T2X(besides T27P、T29G)
2、T40P/T40G
3、T4XS
4、T5X(besides T52)
5、CP920

Not even T19 E2? Sad to hear it.
Ok, will be T19, W56 and W60 updated to using TLS_ECDHE_ECDSA ciphers?


Dear customer,

T19PE2 is actually on our T2X series, sorry for that misunderstanding, because there is only one "T1x", and we don't want to make a dediciated category for it.

For DECT, I will check internally and get back to you later.

Regards,
Yealink_Travis


Dear customer,

I've told from our PD team that we will add DECT as well, but currently, we don't have schedule for it yet, propably on its V84(DECT phone has different pace of firmware schedule)

Regards,
Yealink_Travis
06-05-2018 02:14 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Question Mutual Certificates exchange using built device built in cetificate Ricardo Martins 6 8,960 02-04-2019 06:45 PM
Last Post: Bluip_Support
  HTTPS Letsencrypt T48S 66.82.0.20 vs 66.83.0.30 Jacques14623 1 2,105 05-09-2018 02:00 AM
Last Post: Travis_Yealink
  3CX Provisioning with Certificates for Secure SIP 3CTechnology 3 8,072 11-23-2016 10:00 AM
Last Post: Kevin_Yealink
  HTTPS Certificates TomJagustin 2 6,917 10-27-2016 04:56 PM
Last Post: jondaley
  SHA1 certificates: A BIG problem lonvoice 3 6,111 04-06-2016 10:13 PM
Last Post: bsanders
  HTTPS/SSL Error nickcoons 18 37,438 02-28-2016 10:17 AM
Last Post: Novum Networks
  3CX/T4X not provisioning via HTTPS jasonsomers 1 5,310 10-27-2015 11:27 PM
Last Post: James_Yealink
Brick T19 HTTPS Autoprovisioning uzytkownik 2 6,101 08-26-2014 02:35 PM
Last Post: uzytkownik

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication