I want to use secure provisioning for M215SC with built-in certificate. If I use http://downloads.snom.net/documentation/certs.crt on server side then server does not accept provisioning requests from M215SC. All other models seem to be happy with this CA. Does M215SC use different certificate? Where could I get CA which also accepts it's built-in certificate?
Best regads Madis
Best Answer
C
Catalina Moritz (Oancea)
said
6 months ago
Hi Madis,
I agree that option "Only accept trusted certificates" seems to not be applied in this case. I opened a bug for this (bugID VTECHDEV-88).
It is possible to automatically provision the certificate. You could have an intermediary configuration file in which you could provision the certificate first, using http (not https). The initial provisioning file would look something like this:
" file.certificate.trusted.url = http://HTTP_SERVER_IP/cert1.pem <------------------------ link to the certificate provisioning.server_address = https://HTTP_SERVER_IP/provisioningFile.cfg<------------------------ link to the secure https provisioning file
"
After fetching the certificate automatically, the M200 would change the provisioning link to https://HTTP_SERVER_IP/provisioningFile.cfg
SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile "/etc/ssl/crt/ca-256.crt" ---------> File /etc/ssl/crt/ca-256.crt was downloaded from link http://downloads.snom.net/documentation/ca-256.crt.
I hope this helps.
Thanks
Catalina
M
Madis Malv
said
7 months ago
Hi
Thank you Catalina for trying to help.
I downloaded and configured SHA2 certificate also on server side, but I am still not able to get M215 phones to verify.
Here is my apache configuration: SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCACertificateFile /etc/ssl/certs/snom_certs.crt SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt SSLCACertificateFile /etc/ssl/certs/snom_phone1-256.crt SSLVerifyClient require SSLVerifyDepth 4 SSLStrictSNIVHostCheck on
And here is an error, which server gives during handshake: [ssl:info] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)
M
Madis Malv
said
7 months ago
Forgot to mention that
Software Version:
2.10.32.4da7
C
Catalina Moritz (Oancea)
said
7 months ago
Hi Madis,
I am not sure if you can add several CA files by using parameter SSLCACertificateFile. Can you try to leave only one line?
In your example you have some additional lines that could also affect this so I would also suggest to remove all the other lines and try the ones that worked for me meaning like this (just to exclude other problems):
SSLEngine on SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt SSLVerifyClient require SSLVerifyDepth 2
Thanks
Catalina
B
Broadsoft Germany GmbH - Placetel IT
said
6 months ago
Hej,
we're having the same problem, using the 256 certificate as you mentioned unfortunately does not work. We slimmed down our configuration to the most basic stuff that Catalina mentioned but without any luck.
this is what we see in the webserver logs:
[Fri Nov 09 13:50:33.388903 2018] [ssl:info] [pid 10:tid 139730239294184] [client 172.17.0.1:34864] AH02008: SSL library error 1 in handshake (server 172.17.0.3:9443)
[Fri Nov 09 13:50:33.388979 2018] [ssl:info] [pid 10:tid 139730239294184] SSL Library Error: error:14035418:SSL routines:ACCEPT_SR_CERT:tlsv1 alert unknown ca (SSL alert number 48)
Cheers,
Lars
C
Catalina Moritz (Oancea)
said
6 months ago
Hi Lars/Madis,
One more problem that can happen is that the M200 rejects the server certificate of your HTTPS server. For example if the HTTPS server has a self-signed certificate or a certificate signed by an unknown CA. You can create a PCAP trace on your HTTP server (with tcpdump for example) or on the M200 (under Servicing -> "Network Trace") and see who sends the TLS alert (the M200 or the server).
If the M200 is sending the TLS alert then it could be that the M200 is rejecting the server certificate. In this case, on the M200 you can add the server certificate to trust under Servicing -> Certificates -> Trusted Certificates. The uploaded certificate must be in pem format.
If the server is sending the TLS alert then it might be that it the server is rejecting the client certificate of the M200. In this case I would recommend to check with the customer support for your HTTP server.
Thanks
Catalina
1 person likes this
M
Madis Malv
said
6 months ago
Thanks, Catalina
That was it. M200 rejected our server certificate which is issued by DigiCert. After I imported it to M200 then provisioning started to work. But now I have a question. There is an option "Only accept trusted certificates". This is off by default. Why is M200 then rejecting our server certificate? Can I upload server certificate through same provisioning server before it checks it?
Regards Madis
C
Catalina Moritz (Oancea)
said
6 months ago
Answer
Hi Madis,
I agree that option "Only accept trusted certificates" seems to not be applied in this case. I opened a bug for this (bugID VTECHDEV-88).
It is possible to automatically provision the certificate. You could have an intermediary configuration file in which you could provision the certificate first, using http (not https). The initial provisioning file would look something like this:
" file.certificate.trusted.url = http://HTTP_SERVER_IP/cert1.pem <------------------------ link to the certificate provisioning.server_address = https://HTTP_SERVER_IP/provisioningFile.cfg<------------------------ link to the secure https provisioning file
"
After fetching the certificate automatically, the M200 would change the provisioning link to https://HTTP_SERVER_IP/provisioningFile.cfg
Thanks
Catalina
1 person likes this
M
Madis Malv
said
4 months ago
Hi Catalina,
Is this problem fixed in Version 2.10.46?
I mean does changing 'Only accept trusted certificates' setting now have any real meaning?
Best regards
Madis
C
Catalina Moritz (Oancea)
said
4 months ago
Hi Madis,
I don't have any information about the fix yet but I asked development. I will post here as soon as I get an update.
Thanks
Catalina
C
Catalina Moritz (Oancea)
said
2 months ago
Hi Madis,
In version Version 2.10.46,certificatecheck when provisioning is done indifferent of setting 'Only accept trusted certificates' and cannot be disabled.
This is planned to be fixed in the next release in order to enable users to disable the certificate check.
Madis Malv
I want to use secure provisioning for M215SC with built-in certificate. If I use http://downloads.snom.net/documentation/certs.crt on server side then server does not accept provisioning requests from M215SC. All other models seem to be happy with this CA.
Does M215SC use different certificate? Where could I get CA which also accepts it's built-in certificate?
Best regads
Madis
Hi Madis,
I agree that option "Only accept trusted certificates" seems to not be applied in this case. I opened a bug for this (bugID VTECHDEV-88).
It is possible to automatically provision the certificate. You could have an intermediary configuration file in which you could provision the certificate first, using http (not https). The initial provisioning file would look something like this:
"
file.certificate.trusted.url = http://HTTP_SERVER_IP/cert1.pem <------------------------ link to the certificate
provisioning.server_address = https://HTTP_SERVER_IP/provisioningFile.cfg <------------------------ link to the secure https provisioning file
"
After fetching the certificate automatically, the M200 would change the provisioning link to https://HTTP_SERVER_IP/provisioningFile.cfg
Thanks
Catalina
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstCatalina Moritz (Oancea)
Hi Madis,
File http://downloads.snom.net/documentation/certs.crt is for SHA1 certificates, and the M215 default certificate is SHA2. Your HTTPS server should trust the Snom SHA2 root certificate (see http://wiki.snom.com/Category:HowTo:TLS#Snom_Root_CA --> Snom root CA (sha2))
Here is my apache configuration as an example:
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "/etc/ssl/crt/ca-256.crt" ---------> File /etc/ssl/crt/ca-256.crt was downloaded from link http://downloads.snom.net/documentation/ca-256.crt.
I hope this helps.
Thanks
Catalina
Madis Malv
Hi
Thank you Catalina for trying to help.
I downloaded and configured SHA2 certificate also on server side, but I am still not able to get M215 phones to verify.
Here is my apache configuration:
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCACertificateFile /etc/ssl/certs/snom_certs.crt
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
SSLCACertificateFile /etc/ssl/certs/snom_phone1-256.crt
SSLVerifyClient require
SSLVerifyDepth 4
SSLStrictSNIVHostCheck on
And here is an error, which server gives during handshake:
[ssl:info] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)
Madis Malv
Forgot to mention that
Catalina Moritz (Oancea)
Hi Madis,
I am not sure if you can add several CA files by using parameter SSLCACertificateFile. Can you try to leave only one line?
Instead of:
SSLCACertificateFile /etc/ssl/certs/snom_certs.crt
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
SSLCACertificateFile /etc/ssl/certs/snom_phone1-256.crt
Just leave:
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
(assuming that /etc/ssl/certs/snom_ca-256.crt contains the same file as http://downloads.snom.net/documentation/ca-256.crt)
In your example you have some additional lines that could also affect this so I would also suggest to remove all the other lines and try the ones that worked for me meaning like this (just to exclude other problems):
SSLEngine on
SSLCACertificateFile /etc/ssl/certs/snom_ca-256.crt
SSLVerifyClient require
SSLVerifyDepth 2
Thanks
Catalina
Broadsoft Germany GmbH - Placetel IT
Hej,
we're having the same problem, using the 256 certificate as you mentioned unfortunately does not work. We slimmed down our configuration to the most basic stuff that Catalina mentioned but without any luck.
this is what we see in the webserver logs:
Cheers,
Lars
Catalina Moritz (Oancea)
Hi Lars/Madis,
One more problem that can happen is that the M200 rejects the server certificate of your HTTPS server. For example if the HTTPS server has a self-signed certificate or a certificate signed by an unknown CA. You can create a PCAP trace on your HTTP server (with tcpdump for example) or on the M200 (under Servicing -> "Network Trace") and see who sends the TLS alert (the M200 or the server).
If the M200 is sending the TLS alert then it could be that the M200 is rejecting the server certificate. In this case, on the M200 you can add the server certificate to trust under Servicing -> Certificates -> Trusted Certificates. The uploaded certificate must be in pem format.
If the server is sending the TLS alert then it might be that it the server is rejecting the client certificate of the M200. In this case I would recommend to check with the customer support for your HTTP server.
Thanks
Catalina
1 person likes this
Madis Malv
That was it. M200 rejected our server certificate which is issued by DigiCert. After I imported it to M200 then provisioning started to work.
But now I have a question. There is an option "Only accept trusted certificates". This is off by default. Why is M200 then rejecting our server certificate? Can I upload server certificate through same provisioning server before it checks it?
Regards
Madis
Catalina Moritz (Oancea)
Hi Madis,
I agree that option "Only accept trusted certificates" seems to not be applied in this case. I opened a bug for this (bugID VTECHDEV-88).
It is possible to automatically provision the certificate. You could have an intermediary configuration file in which you could provision the certificate first, using http (not https). The initial provisioning file would look something like this:
"
file.certificate.trusted.url = http://HTTP_SERVER_IP/cert1.pem <------------------------ link to the certificate
provisioning.server_address = https://HTTP_SERVER_IP/provisioningFile.cfg <------------------------ link to the secure https provisioning file
"
After fetching the certificate automatically, the M200 would change the provisioning link to https://HTTP_SERVER_IP/provisioningFile.cfg
Thanks
Catalina
1 person likes this
Madis Malv
Is this problem fixed in Version 2.10.46?
I mean does changing 'Only accept trusted certificates' setting now have any real meaning?
Best regards
Madis
Catalina Moritz (Oancea)
Hi Madis,
I don't have any information about the fix yet but I asked development. I will post here as soon as I get an update.
Thanks
Catalina
Catalina Moritz (Oancea)
Hi Madis,
In version Version 2.10.46, certificate check when provisioning is done indifferent of setting 'Only accept trusted certificates' and cannot be disabled.
This is planned to be fixed in the next release in order to enable users to disable the certificate check.
Thanks
Catalina
-
Firmware Update Error
-
Snom FW 8.7.3.25 / Snom 720
-
Hold, then direct transfer
-
M325 blinking orange light on base station
-
Importing Device Certificate on DECT M300
-
CTI client for Snom M65
-
Snom M700 M65 and FreePBX
-
Snom m9r and 3CX
-
Need Firmware 323.11
-
Getting 3CX Directory onto Snom M9r Phone
See all 162 topics