MTLS using built in device cetificate

[tonipamies]

Hi,

I'm trying to set my web server and phones to do mutual certificates exchange on HTTPS provisioning.
I'm using Centos 8.2, apache, mod_ssl and openssl
It works fine for Yealink T23G, T27G but it does'nt work with Yealink W60B and T46G
I'm using the Yealink certificates provided by my reseller (I have attached them)
I trying to configure openssl with:

1. Systems defaults: SECLEVEL=2, the error is: Error (66): EE certificate key too weak
2. SECLEVEL=1, the error is: Error (68): CA signature digest algorithm too weak
3. SECLEVEL=0, the error is: Error (7): certificate signature failure
   

can anybody to help me?

[smuser]

Yealink has at least TWO separate CA's that I know of.

I initially setup and had it all working for T42S and few others. Then we bought few T46U and those failed to verify phone's certs because they were signed by a different CA.

I opened a ticket asking Yealink to publish the CA cert for T46U. They provided the CA cert as attachment to the ticket, but refused to publish it in the downloads resources, citing security issues.

I recommend you open a ticket and ask for it. First they will ask why you want. What you are doing sounds exactly what we are doing.

I like Yealink support, very helpful, but I really strongly disagree with them on this issue. AFAIK it is safer to publish the CA and let users verify the device than to hide it and tempt users to run without verifications. It's not like I'm asking for the private key. And once issued to one person it is no longer a secret. No big deal if it is just published. But what would I know. I am sorry I will not upload here the cert they provided to me in case Yealink gets upset with me for that, well, they are hiding it for some reason.

[tonipamies]

Thanks
I will open a ticket as you say and then i will post the answer with the solution
(if i have,it, of course)