How can we help you today?
Start a new topic
Answered

TLS fails on 8.7.5.35, suceeds (partially) on 8.4.35 (Snom 320)

I'm having trouble provisioning a Snom 320 with FW 8.7.5.35 on Fusion PBX.
Other devices (Snom 320 with FW 8.7.5.35 as well) can be provisioned on the same system and on the same domain.
This one refuses to accept provisioning.

The issue seems related to TLS and FW versions:
If I flash it to 8.4.35 and provide the provisioning URL as https://my.server/app/provision/index.php?mac=AABBCCDDEEFF it works.
However all of the following combinations don't:

8.4.35 http://my.server/app/provision/index.php?mac=AABBCCDDEEFF
8.7.5.35 http://my.server/app/provision/index.php?mac=AABBCCDDEEFF
8.7.5.35 https://my.server/app/provision/index.php?mac=AABBCCDDEEFF

(I should add that http://my.server/app/provision/index.php?mac=AABBCCDDEEFF triggers a redirect to https://my.server/app/provision/index.php?mac=AABBCCDDEEFF)

The phone log shows :
[WARN ] TLS: Certificate verification omitted. TLS authentication is disabled!
[NOTICE] WEBCLIENT: on_tcp_close conn_id:64
[WARN ] PHN: Config setup: code: 500

Nginx Log shows "GET /app/provision/index.php?mac=AABBCCDDEEFF HTTP/1.1" 307 186 "-" "Mozilla/4.0 (compatible; snom320-SIP 8.7.5.35 1.1.3-u AABBCCDDEEFF)"
(307 redirect to https, but no 200 on the https URL)

Wireshark analysis of the phone's PCAP trace shows that establishing the TCP connection fails:

Secure Sockets Layer
    TLSv1 Record Layer: Alert (Level: Fatal, Description: Bad Record MAC)
        Content Type: Alert (21)
        Version: TLS 1.0 (0x0301)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Bad Record MAC (20)

While this could probably be solved on the level of Nginx configuration somehow (how?), I wonder why some Firmware versions can cope with it while others can't. Plus it also seems to depend on the location/provider, as other Snom 320 with FW 8.7.5.35 on another location handle the same setting well.

What can I do to make this work with FW 8.7.5.35 here?



--------Phone log--------
Sep 24 18:53:44 [NOTICE] PHN: Executing timer driven automatic settings refresh

Sep 24 18:53:44 [NOTICE] PHN: Setting automatic settings refresh timer with 70 seconds

Sep 24 18:53:44 [NOTICE] PHN: Setting server prio 1, type redirection, url:  >https://my.server/app/provision/index.php?mac=AABBCCDDEEFF<

Sep 24 18:53:44 [NOTICE] PHN: Fetching URL: https://my.server:443/app/provision/index.php?...

Sep 24 18:53:44 [WARN ] TLS: Certificate verification omitted. TLS authentication is disabled!

Sep 24 18:53:45 [NOTICE] WEBCLIENT: on_tcp_close conn_id:64

Sep 24 18:53:45 [WARN ] PHN: Config setup: code: 500, uri: https://my.server:443/app/provision/index.php?...

Sep 24 18:53:45 [NOTICE] PHN: Fetching URL: https://127.0.0.1:443/dummy.htm

Sep 24 18:53:45 [WARN ] TLS: Certificate verification omitted. TLS authentication is disabled!

Sep 24 18:53:53 [NOTICE] PHN: TPL: Socket 115 idle/connect timeout

Sep 24 18:54:11 [NOTICE] PHN: TPL: Socket 116 idle/connect timeout

Sep 24 18:54:16 [NOTICE] PHN: TPL: Socket 114 idle/connect timeout

Sep 24 18:54:16 [NOTICE] WEBCLIENT: on_tcp_close conn_id:65

Sep 24 18:54:16 [WARN ] PHN: Config setup: code: 500, uri: https://127.0.0.1:443/dummy.htm

Sep 24 18:54:16 [NOTICE] PHN: Fetching FW URL: https://my.server:443/app/provision/snom320/snom320-firmware.htm

Sep 24 18:54:16 [NOTICE] PHN: Fetching URL: https://my.server:443/app/provision/snom320/snom320-firmware.htm

Sep 24 18:54:16 [NOTICE] PHN: Skipping prio 2 setting server, type pnp, url: ><

Sep 24 18:54:16 [NOTICE] PHN: Skipping prio 3 setting server, type dhcp, url: ><

Sep 24 18:54:16 [NOTICE] PHN: Skipping prio 4 setting server, type tr69, url: ><

Sep 24 18:54:16 [NOTICE] PHN: Go to wizzard if all settings have been read.

Sep 24 18:54:16 [NOTICE] PHN: Using gui lang English at index:0 from: /mnt/snomlang/gui_lang_EN.xml

Sep 24 18:54:16 [ERROR ] PHN: SetTranslation: string contains potential xss code.

Sep 24 18:54:17 [WARN ] TLS: Certificate verification omitted. TLS authentication is disabled!

Sep 24 18:54:18 [NOTICE] WEBCLIENT: on_tcp_close conn_id:66


Best Answer

Daniel,


I have converted this topic to helpdesk ticket #16205



Regards,


Sean Collins

Snom Support

1 Comment

Answer

Daniel,


I have converted this topic to helpdesk ticket #16205



Regards,


Sean Collins

Snom Support