Problem 


  • Error message in browser says "Secure Connection Failed" when trying to access the Web User Interface of the phone.
  • Registration to Lync or Skyp for Business fails and log message on phone says TLS: Unsupported signature alg 1.2.840.113549.1.1.11



Reason "Secure Connection Failed"



The Snom UC firmware does not support TLS 1.2 which is more than likely the issue you are facing. For example, Microsoft's Windows 10 Fall Creators Update 1709 deprecated support for SHA1. The client certificate on the Snom UC phones only supports TLS 1.0/1.1 and SHA1. I believe the 1709 update requires TLS 1.2 and SHA256 at a minimum and thus customers have run into similar issues when trying to access a UC phone's Web UI via any browser (Windows 10 OS disables the deprecated encryption algorithms).


Customers have been successful using 8.8.3.36 firmware and adding an exception to Firefox (for example) so that it will work with the SHA1 certificate on the phone.


Solution


To work around this issue;


1. Install 8.8.3.36


http://downloads.snom.com/snomuc/unreleased-not-supported/Ext-Pin-Sign/snomPA1-UC-8.8.3.36-SIP-f.bin

http://downloads.snom.com/snomuc/unreleased-not-supported/Ext-Pin-Sign/snomPA1-8.8.3.36.cab


2. Add an exception to your browser (Firefox for example)


Mozilla 58.0.2 (64-bit)


1) Open Firefox and paste about:config in the address bar and press Enter/Return.

2) Accept the warning and proceed to step 3

3) In the search box above the list, type or paste TLS

4) If the security.tls.version.max preference is bolded and "user set" to a value other than 3, right-click > Reset the preference to restore the default value of 3

5) If the security.tls.version.min preference is bolded and "user set" to a value other than 1, right-click > Reset the preference to restore the default value of 1


The values for these preferences mean:


1 => TLS 1.0 2 => TLS 1.1 3 => TLS 1.2





3. If it still is not working, try adding Snom's SHA1 root CA to the trusted 3party Root CA's (in Windows / Firefox) even its a SHA1 root  CA?For your reference: the Snom Root CA public downloads (SHA1 & SHA2): 


http://wiki.snom.com/Category:HowTo:TLS#Snom_Root_CA 



Reason "TLS: Unsupported signature alg 1.2.840.113549.1.1.11"


This issue occurs when updating your Lync or Skyp for Bussiness Server's certificate to a SHA-2 certificate. Doing so will break your Snom/Lync deployment and prevent the Snom UC phones from registering with Lync/Skype for Business.