M215SC secure provisioning : Helpdesk platform

M

Madis Malv

started a topic 12 days ago

Hi,

I want to use secure provisioning for M215SC with built-in certificate. If I use http://downloads.snom.net/documentation/certs.crt on server side then server does not accept provisioning requests from M215SC. All other models seem to be happy with this CA.
Does M215SC use different certificate? Where could I get CA which also accepts it's built-in certificate?

Best regads
Madis

C

Catalina Oancea

said 11 days ago

Hi Madis,

File http://downloads.snom.net/documentation/certs.crt is for SHA1 certificates, and the M215 default certificate is SHA2. Your HTTPS server should trust the Snom SHA2 root certificate (see http://wiki.snom.com/Category:HowTo:TLS#Snom_Root_CA --> Snom root CA (sha2))

Here is my apache configuration as an example:

SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "/etc/ssl/crt/ca-256.crt" ---------> File /etc/ssl/crt/ca-256.crt was downloaded from link http://downloads.snom.net/documentation/ca-256.crt.

I hope this helps.

Thanks

Catalina

M

Madis Malv

said 11 days ago

Hi

Thank you Catalina for trying to help.

I downloaded and configured SHA2 certificate also on server side, but I am still not able to get M215 phones to verify.

Here is my apache configuration:
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCACertificateFile /etc/ssl/certs/snom_certs.crt
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
SSLCACertificateFile /etc/ssl/certs/snom_phone1-256.crt
SSLVerifyClient require
SSLVerifyDepth 4
SSLStrictSNIVHostCheck on

And here is an error, which server gives during handshake:
[ssl:info] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)

M

Madis Malv

said 11 days ago

Forgot to mention that

Software Version:

2.10.32.4da7

C

Catalina Oancea

said 10 days ago

Hi Madis,

I am not sure if you can add several CA files by using parameter SSLCACertificateFile. Can you try to leave only one line?

Instead of:

SSLCACertificateFile /etc/ssl/certs/snom_certs.crt
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
SSLCACertificateFile /etc/ssl/certs/snom_phone1-256.crt

Just leave:

SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt

(assuming that /etc/ssl/certs/snom_ca-256.crt contains the same file as http://downloads.snom.net/documentation/ca-256.crt)

In your example you have some additional lines that could also affect this so I would also suggest to remove all the other lines and try the ones that worked for me meaning like this (just to exclude other problems):

SSLEngine on
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
SSLVerifyClient require
SSLVerifyDepth 2

Thanks

Catalina

B

Broadsoft Germany GmbH - Placetel IT

said 9 days ago

Hej,

we're having the same problem, using the 256 certificate as you mentioned unfortunately does not work. We slimmed down our configuration to the most basic stuff that Catalina mentioned but without any luck.

this is what we see in the webserver logs:

[Fri Nov 09 13:50:33.388903 2018] [ssl:info] [pid 10:tid 139730239294184] [client 172.17.0.1:34864] AH02008: SSL library error 1 in handshake (server 172.17.0.3:9443)
[Fri Nov 09 13:50:33.388979 2018] [ssl:info] [pid 10:tid 139730239294184] SSL Library Error: error:14035418:SSL routines:ACCEPT_SR_CERT:tlsv1 alert unknown ca (SSL alert number 48)

Cheers,

Lars

C

Catalina Oancea

said 6 days ago

Hi Lars/Madis,

One more problem that can happen is that the M200 rejects the server certificate of your HTTPS server. For example if the HTTPS server has a self-signed certificate or a certificate signed by an unknown CA. You can create a PCAP trace on your HTTP server (with tcpdump for example) or on the M200 (under Servicing -> "Network Trace") and see who sends the TLS alert (the M200 or the server).

If the M200 is sending the TLS alert then it could be that the M200 is rejecting the server certificate. In this case, on the M200 you can add the server certificate to trust under Servicing -> Certificates -> Trusted Certificates. The uploaded certificate must be in pem format.

If the server is sending the TLS alert then it might be that it the server is rejecting the client certificate of the M200. In this case I would recommend to check with the customer support for your HTTP server.

Thanks

Catalina

M

Madis Malv

said 5 days ago

Thanks, Catalina

That was it. M200 rejected our server certificate which is issued by DigiCert. After I imported it to M200 then provisioning started to work.
But now I have a question. There is an option "Only accept trusted certificates". This is off by default. Why is M200 then rejecting our server certificate? Can I upload server certificate through same provisioning server before it checks it?

Regards
Madis

C

Catalina Oancea

said 4 days ago

Hi Madis,

I agree that option "Only accept trusted certificates" seems to not be applied in this case. I opened a bug for this (bugID VTECHDEV-88).

It is possible to automatically provision the certificate. You could have an intermediary configuration file in which you could provision the certificate first, using http (not https). The initial provisioning file would look something like this:

"
file.certificate.trusted.url = http://HTTP_SERVER_IP/cert1.pem <------------------------ link to the certificate
provisioning.server_address = https://HTTP_SERVER_IP/provisioningFile.cfg <------------------------ link to the secure https provisioning file

"

After fetching the certificate automatically, the M200 would change the provisioning link to https://HTTP_SERVER_IP/provisioningFile.cfg

Thanks

Catalina