How can we help you today?
Start a new topic

snom725 @v10.1.33.33: Custom certificate does not add exception.

We are trying to request a xml-directory described in:


http://wiki.snom.com/XML/Minibrowser/SnomIPPhoneDirectory


We know it works because it runs on our phones @v8.9.3.80 [ActionURL in Function Keys]. After upgrading to v10.1.33.33 it stopped working, BUT we got warned that an "untrusted certificate" is most likely to be the reason. So, we added an exception described in:


http://wiki.snom.com/Category:HowTo:TLS#Adding_Unknown_Certificates


BUT: It still doesn't work although there is no "untrusted certificate"-warning any more. Just nothing seems to happen. Having a look into our webserver-access-logs DOES NOT reveal any requests like (example of a phone @v8.9.3.80):


"GET /cpu4you/phonebook/snom_dir.php HTTP/1.1" 200 78167"


So, we looked into the snom725's logs - and there we found it - long story short: "certificate verify failed"... Full log ahead:


--

Feb 11 19:00:09.355 [DEBUG0] UXM: Request backlight for module -1 with value 15

Feb 11 19:00:09.357 [DEBUG0] PHN: ReplaceQueryVariables in >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 11 19:00:09.357 [DEBUG0] PHN: ReplaceQueryVariables replaced: >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 11 19:00:09.357 [DEBUG0] PHN: ReplaceFragmentVariables in >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 11 19:00:09.358 [DEBUG0] PHN: ReplaceFragmentVariables replaced: >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 11 19:00:09.358 [NOTICE] PHN: Sending post request https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php

Feb 11 19:00:09.358 [NOTICE] PHN: Fetching URL: https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php

Feb 11 19:00:09.369 [INFO ] TLS: TlsSessionOssl::SetRemoteDnsName: hostname=, hostip=172.22.70.1, flags=0

Feb 11 19:00:09.370 [ERROR ] TLS: OSSL error (SSL connect setup): code 336417087, error:140D513F:SSL routines:ssl3_ctrl:ssl3 ext invalid servername

Feb 11 19:00:09.386 [ERROR ] TLS: Error 64 at depth 0: IP address mismatch

Feb 11 19:00:09.386 [ERROR ] TLS: Cert s: /C=AT/ST=Moedling/L=Wiener Neudorf/O=cpu4you.at/CN=172.22.70.1

Feb 11 19:00:09.386 [ERROR ] TLS: Cert i: /C=AT/ST=Moedling/L=Wiener Neudorf/O=cpu4you.at/CN=172.22.70.1

Feb 11 19:00:09.395 [ERROR ] TLS: X509v3 extensions: X509v3 Subject Key Identifier: 86:ED:5B:98:0F:57:C8:C0:A6:27:92:C0:E5:2C:EB:06:9B:DC:37:94 X509v3 Authority Key Identifier: keyid:86:ED:5B:98:0F:57:C8:C0:A6:27:92:C0:E5:2C:EB:06:9B:DC:37:94 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 27:43:4f:81:6b:8d:5e:c5:ba:94:91:4b:0b:a1:72:47:0e:3c: 70:19:a6:54:cd:43:d9:ec:46:86:cc:f9:8c:44:2d:16:82:8c: f3:56:39:8e:f3:7b:f1:c1:f8:4b:0a:76:55:e6:37:ae:07:a9: ee:c3:ed:fe:a6:a9:d0:ca:0b:7c:2a:e5:8a:05:7b:8c:00:3c: f9:5c:9f:a7:2a:61:e4:33:a5:f5:59:31:34:c4:eb:ba:a9:60: 93:5e:f7:66:27:10:71:d7:4b:8b:3f:39:3f:11:03:2a:05:90: b2:f3:97:9c:f5:38:63:7d:6e:2a:1f:31:dc:c8:52:4a:95:30: 35:7a:3f:c0:bd:75:14:4b:ac:c1:e6:c3:81:59:f6:65:c6:df: 9a:ea:10:f3:16:60:29:98:86:f3:15:65:d1:7b:7f:2a:45:d1: 95:9d:8e:84:34:45:5a:2b:10:99:67:7d:a3:41:73:9e:fb:3b: 8d:d4:12:1f:85:7c:7d:18:8a:87:5d:17:f1:e5:04:c6:e8:94: 91:60:84:d5:89:ae:77:a4:7d:5a:9f:75:13:d7:b4:26:fb:52: 64:7f:0b:83:a3:db:e8:e2:3e:7e:2d:18:9c:76:49:ea:4a:e2: fe:6b:0e:43:ae:00:9b:f2:02:33:03:9b:45:50:2e:0a:95:7e: 32:03:c1:19

Feb 11 19:00:09.396 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Feb 11 19:00:09.397 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336085247, error:140840FF:SSL routines:ssl3_connect:unknown state

Feb 11 19:00:09.397 [ERROR ] PHN: TPL: Socket Error: 398/36/connected, Tls error, closing

Feb 11 19:00:09.398 [NOTICE] WEBCLIENT: on_tcp_close conn_id:13

Feb 11 19:00:09.398 [NOTICE] PHN: Server rejected Action URL request with 525 ><

--


So, what's going wrong here? See screenshot attached as proof we truly added an "exception"...


THX!


Hi Karl,


Unfortunately, we recently found that version 10.1.33.33 has an issue: in this version, setting http://wiki.snom.com/Settings/check_fqdn_against_server_cert is set to on and cannot be disabled. This means that in this version the phone checks whether the FQDN of the server it is trying to connect to  via TLS appears either as CN in the subject field or is listed in the IP/DNS names of the Subject Altnernative Names extension of the certificate presented by the server. 


In your case, the check fails because IP addresses are not expected to be in the  CN(common name). IP addresses must be added in the SAN(Subject Alternative Name). Thus you have two options:


1. (recommended) Recreate your certificate by adding a SAN set to IP: 172.22.70.1 (Note: for IP addresses make sure you use the IP field, not the DNS field)


2. Even though checking the TLS server certificate is actually good for security purposes, we are aware that some customers may have difficulties creating certificates that fulfill this condition so we  plan to change this back as soon as possible. Thus you could wait for a future release that will fix this regression, then disable check_fqdn_against_server_cert and the check should no longer be a problem for you.


Thanks

Catalina


Hej Catalina,


Thanks for the fast reply. I recreated the cert with SAN included (see chrome-cert-info attached). Unfortunately the SNOM-Phone still doesn't like it (have a look at "Subject Alternative Name: DNS:172.22.70.1"):


Feb 15 18:37:38.786 [DEBUG0] UXM: Request backlight for module -1 with value 15

Feb 15 18:37:38.789 [DEBUG0] PHN: ReplaceQueryVariables in >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 15 18:37:38.789 [DEBUG0] PHN: ReplaceQueryVariables replaced: >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 15 18:37:38.790 [DEBUG0] PHN: ReplaceFragmentVariables in >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 15 18:37:38.790 [DEBUG0] PHN: ReplaceFragmentVariables replaced: >https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php<

Feb 15 18:37:38.790 [NOTICE] PHN: Sending post request https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php

Feb 15 18:37:38.790 [NOTICE] PHN: Fetching URL: https://172.22.70.1:443/cpu4you/phonebook/snom_dir.php

Feb 15 18:37:38.801 [INFO ] TLS: TlsSessionOssl::SetRemoteDnsName: hostname=, hostip=172.22.70.1, flags=0

Feb 15 18:37:38.801 [ERROR ] TLS: OSSL error (SSL connect setup): code 336417087, error:140D513F:SSL routines:ssl3_ctrl:ssl3 ext invalid servername

Feb 15 18:37:38.817 [ERROR ] TLS: Error 64 at depth 0: IP address mismatch

Feb 15 18:37:38.817 [ERROR ] TLS: Cert s: /C=AT/ST=Moedling/L=Wiener Neudorf/O=Powered by cpu4you.at/CN=172.22.70.1

Feb 15 18:37:38.817 [ERROR ] TLS: Cert i: /C=AT/ST=Moedling/L=Wiener Neudorf/O=Powered by cpu4you.at/CN=172.22.70.1

Feb 15 18:37:38.826 [ERROR ] TLS: X509v3 extensions: X509v3 Subject Alternative Name: DNS:172.22.70.1 Signature Algorithm: sha256WithRSAEncryption 39:60:79:63:0f:87:4e:28:f1:da:54:c5:82:7d:78:b1:34:5c: 5a:af:99:37:17:b9:a7:45:a6:ab:8a:91:ed:47:a8:1d:7e:d3: d0:9b:c7:ce:64:d1:02:71:06:1a:1c:03:aa:30:95:e4:68:18: 58:39:44:f8:db:93:b8:37:22:1f:0e:50:40:c4:83:c7:a3:79: 11:a6:f4:ec:33:dd:d6:76:db:f0:ba:12:ae:b9:57:2c:ba:4e: 09:46:ce:d7:40:b8:01:08:f4:db:ca:f9:75:a6:78:74:37:2b: 36:09:5d:d7:a8:a3:e6:34:38:2d:8c:59:69:1b:6d:19:a2:15: 9c:5c:25:6a:c9:d8:03:7f:c6:2f:17:f6:a0:bc:1d:38:ac:7d: 73:a6:bb:8a:60:b4:00:1b:37:51:da:db:c0:2a:42:8e:af:e1: 3a:e5:c8:fa:a5:b3:06:f6:83:00:ae:6a:89:0e:85:71:3b:ad: f9:f5:e7:cc:70:9f:3a:77:97:b2:3b:b1:06:12:1d:40:f1:73: 3d:aa:8c:88:dd:2e:b1:01:7c:71:7b:f7:ba:c3:3d:76:3b:45: d5:ba:23:99:1a:d0:3c:11:66:61:c4:54:e0:02:cf:f7:ae:6a: 3e:96:d6:7f:da:63:39:82:18:1c:5b:43:4a:88:2b:68:55:c3: 4b:f8:ea:26

Feb 15 18:37:38.826 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Feb 15 18:37:38.827 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336085247, error:140840FF:SSL routines:ssl3_connect:unknown state

Feb 15 18:37:38.827 [ERROR ] PHN: TPL: Socket Error: 585/37/connected, Tls error, closing

Feb 15 18:37:38.828 [NOTICE] WEBCLIENT: on_tcp_close conn_id:32

Feb 15 18:37:38.829 [NOTICE] PHN: Server rejected Action URL request with 525 ><


THX! :)

Login or Signup to post a comment