How can we help you today?
Start a new topic
Answered

Provisioning Config File Encryption

Can anyone tell me if Snom handsets support encryption of their configuration files?


Understand I can provision them over HTTPS but what I'm requiring is encryption of the config file itself. I can't find any pointers to if this feature exists.


Thanks


Best Answer
On a totally unrelated search for information, I stumbled upon this page:
http://wiki.snom.com/Category:HowTo:Secure_Web_Client

With this information, you can protect config files that can only be downloaded by snom phones (and snom employees with access to their CA, obviously). If you have a PHP script that also checks the precise identification data, you could harden such that only the phone in question is allowed to access the configuration data, and this is HTTPS client certificate protected. Probably totally does what you want? :-)

 


unfortunately the answer is no. encryption of configuration files isn't supported.


Best Regards

Thanks for the answer, do you know if there are any plans to support this config file encryption in the future?  Or is it not on the roadmap?

 

Hi Steven,

I do not now IF or WHEN snom may implement such a thing. But what you could try is the following:
- Activate HTTP client user and password in the snom phone (e.g. on a first pre-provisioning)
- Use HTTPS and a password-protected file location

With a little extra logic, for example, you could have a PHP script that ONLY provisions HTTP client user and password on the first connection attempt of a new MAC and later refuses to distribute that information. Spoofers would in this scenario have to know the MAC of the to-be-provisioned phone before its first provisioning cycle - which might just be good enough. Details will depend on your needs of course.

Best regards
AMH
Answer
On a totally unrelated search for information, I stumbled upon this page:
http://wiki.snom.com/Category:HowTo:Secure_Web_Client

With this information, you can protect config files that can only be downloaded by snom phones (and snom employees with access to their CA, obviously). If you have a PHP script that also checks the precise identification data, you could harden such that only the phone in question is allowed to access the configuration data, and this is HTTPS client certificate protected. Probably totally does what you want? :-)

 

@AMH: exactly.


Using HTTPS you can secure the provisioning (data transfer is encrypted and clients are authenticated).


Please remember that snom 3xx devices contains a generic certificate (Issued by Snom), instead 7xx, 8xx, D7xx, D3xx and MXXX contains an unique certificate per phone.


Using some webserver you neither need the PHP script to check the client certificate and the request, for example with NGINX you can setup some regex expression matching the certificate CN against the HTTP request.

Login or Signup to post a comment