[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MTLS using built in device cetificate
Author Message
tonipamies Offline
Junior Member
**

Posts: 3
Joined: Mar 2021
Reputation: 0
Post: #1
MTLS using built in device cetificate
Hi,

I'm trying to set my web server and phones to do mutual certificates exchange on HTTPS provisioning.
I'm using Centos 8.2, apache, mod_ssl and openssl
It works fine for Yealink T23G, T27G but it does'nt work with Yealink W60B and T46G
I'm using the Yealink certificates provided by my reseller (I have attached them)
I trying to configure openssl with:
  1. Systems defaults: SECLEVEL=2, the error is: Error (66): EE certificate key too weak
  2. SECLEVEL=1, the error is: Error (68): CA signature digest algorithm too weak
  3. SECLEVEL=0, the error is: Error (7): certificate signature failure

can anybody to help me?


Attached File(s)
.zip  YealinkCA.zip (Size: 3.08 KB / Downloads: 12)

Salut!

Antoni Pàmies
República de Catalunya
(This post was last modified: 06-02-2021 06:19 PM by tonipamies.)
06-02-2021 04:06 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
smuser Offline
Junior Member
**

Posts: 4
Joined: Nov 2020
Reputation: 0
Post: #2
RE: MTLS using built in device cetificate
Yealink has at least TWO separate CA's that I know of.

I initially setup and had it all working for T42S and few others. Then we bought few T46U and those failed to verify phone's certs because they were signed by a different CA.

I opened a ticket asking Yealink to publish the CA cert for T46U. They provided the CA cert as attachment to the ticket, but refused to publish it in the downloads resources, citing security issues.

I recommend you open a ticket and ask for it. First they will ask why you want. What you are doing sounds exactly what we are doing.

I like Yealink support, very helpful, but I really strongly disagree with them on this issue. AFAIK it is safer to publish the CA and let users verify the device than to hide it and tempt users to run without verifications. It's not like I'm asking for the private key. And once issued to one person it is no longer a secret. No big deal if it is just published. But what would I know. I am sorry I will not upload here the cert they provided to me in case Yealink gets upset with me for that, well, they are hiding it for some reason.
(This post was last modified: 06-11-2021 02:09 PM by smuser.)
06-11-2021 02:07 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
tonipamies Offline
Junior Member
**

Posts: 3
Joined: Mar 2021
Reputation: 0
Post: #3
RE: MTLS using built in device cetificate
Thanks
I will open a ticket as you say and then i will post the answer with the solution
(if i have,it, of course)

Salut!

Antoni Pàmies
República de Catalunya
06-11-2021 03:28 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Question Mutual Certificates exchange using built device built in cetificate Ricardo Martins 7 14,395 06-02-2021 02:35 AM
Last Post: tonipamies
  Change admin password by using Device Management Platform 1.0.0.25 Bertin 6 12,615 05-14-2019 01:45 PM
Last Post: joegellen20
  Need help with RPS configuration of server and device. chidado 2 6,586 11-25-2017 05:36 AM
Last Post: chidado
  rps xmlrpc - add device with serverurl only bpps 2 6,213 06-06-2017 01:03 AM
Last Post: Torontob
  Detection of device model sjamaan 1 4,537 12-04-2015 07:15 PM
Last Post: Karl_Yealink

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication