Reply
Polycom Employee & Community Manager
Posts: 13,732

[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

[ Edited ]

The example below is based on Digium Asterisk 1.8. Polycom cannot provide support on Asterisk

 

Below was tested with a VVX500 running UCS 4.1.3

 

Source for certificate creation => here <=

 

NOTE: Please contact your SIP Platform provider or your Polycom reseller for any support queries! Knowledge in Linux and Asterisk is required.

 

Step 1 Creating a Server Key on the Asterisk server:

 

  • type cd /etc/asterisk and hit enter
  • type mkdir certificates (we create a new sub directory)
  • type cd certificates and hit enter
  • type openssl genrsa -out key.pem 1024 and hit enter
  • The key.pem is your server key
  • type openssl req -new -key key.pem -out request.pem and hit enter

    You will now be prompted for several self explanatory questions

    IMPORTANTCommon name - This *NEEDS* to be the FQDN name or IP address of your server

We now sign our own certificate by running the following command:

 

  • type openssl x509 -req -days 3650 -in request.pem -signkey key.pem -out certificate.pem and hit enter

    The certificate.pem is your new client certificate that will last for 10 years (3650 days)

  • type 

    cp certificate.pem asterisk.something.com.pem 

    and hit enter

    cat key.pem >> asterisk.something.com.pem

    and hit enter

    Above created a file containing the server key, a certificate, and a certificate "chain" file. 

    Noteasterisk.something.com.pem could also just be IP_Address_Of_Server.pem

Step 2 changing the Asterisk configuration

 

Example sip.conf

 

tlsenable=yes
tlsbindaddr=192.168.0.1 (put your actual ip address of your box here)
tlscertfile=/etc/asterisk/certificates/asterisk.something.com.pem
tlsdontverifyserver=no
tlscipher=DES-CBC3-SHA
tlsclientmethod=tlsv1

 and in addition within the context of an individual phone add the tls option:

 

[3090]
host=dynamic
type=friend
username=3090
secret=3090
callerid="Steffen 11" <3090>
progressinband=no
callgroup=2
pickupgroup=2
call-limit=10
mailbox=3090
transport=tls

 

After above steps reload Asterisk

 

Step 3 Importing the certificate to the phone:

 

 

The Platform CA certificate 1 has a size restriction of 1536 bytes but platform the CA certificate 2 is higher at 4096 bytes.

 

The size restriction is for legacy software backwards compatibility so customers downgrading from 4.x.x will be able to retain the platform 1 certificate due to the fact that older software only allowed 1 custom CA certificate of size 1536 bytes.

 

  • We copy the newly created client certificate to the www directory on the Asterisk server via:

    cp certificate.pem /var/www/html/polycom

  • We import the certificate.pem to the phone via the Web Interface:

    import PEM certificate.PNG

    Type the source address of the certificate.pem and click on Install

  • The certificate is now imported:

    import PEM certificate_01.PNG


  • The certificate is now part of the phone configuration:

    TLS_DeviceSnippet.PNG

    0209142147|tls  |*|00|Saving new Custom platform CA certificate 1 
    0209142147|tls  |*|00|New Certificate Common Name '10.252.75.203' Fingerprint 'E3:E4:08:88:23:05:DE:D1:6A:3D:21:5C:9E:03:D3:60:86:7F:24:0C'
    0209142147|tls  |*|00|No previous certificate stored
  • Change the Port from standard 0 (5060) to 5061

  • Change the Transport from DNSnaptr to TLS

    import PEM certificate_03.PNG

  • The change is now part of the phone configuration:

    import PEM certificate_04.PNG

Step 4 Troubleshooting using Wireshark:

 

  • Within Wireshark click on Edit => Preferences => Protocols => SSL => RSA keys list => Edit

    import PEM certificate_05.PNG

 

  • Add a New Key

    import PEM certificate_06.PNG
    IP address is the IP of the Server (Asterisk)
    Port is 5061
    Protocol is SIP
    Key file would be the key.pem file created above

  • Confirm all by Apply and OK

  • Start the Wireshark trace and reboot the phone so the handshake is captured

  • Make a call

  • Wireshark will now display the SIP messages

    import PEM certificate_07.PNG

  • Right clicking on a TLS will allow to follow the SSL stream

    import PEM certificate_08.PNG

    and show the SIP messaging

    import PEM certificate_09.PNG


Step 5 Using Polycom logs to troubleshoot TLS issues

 

  • Set the relevant logging levels:

    SIP_EVENT3.PNG

  • Check the Logs:

    1206175452|sip  |2|00|MakeTlsConnection: SSL_connect OK : TLS Handshake completed successfully
    1206175452|sip  |3|00|[TLS] Validating Subject Alternative Name(s) (SAN) and Common Name (CN) against the following:
    1206175452|sip  |3|00|[TLS]            Hostname: 10.252.122.122
    1206175452|sip  |3|00|[TLS]      Outbound Proxy: 10.252.122.122
    1206175452|sip  |3|00|[TLS] Hostname connection: NONE
    1206175452|sip  |3|00|[TLS] Attempting to validate certificate Common Name (CN)
    1206175452|sip  |3|00|[TLS] Certificate Common Name matches server host: '10.252.122.122'
    1206175452|sip  |3|00|[TLS] Server Certificate SAN or CN validation success. SSL verify result 0
    1206175452|sip  |1|00|MakeTlsConnection: post_connection_checks passed
    1206175452|sip  |3|00|MakeTlsConnection: connection succeeded

Errors:

 

1724612.165|sip  |4|00|[TLS] Server Certificate Common Name 'name' doesn't match any of the following:
1724612.165|sip  |4|00|[TLS]            Hostname: 10.20.30.40
1724612.165|sip  |4|00|[TLS]      Outbound Proxy: 10.20.30.40
1724612.165|sip  |4|00|[TLS] Hostname connection: NONE
1724612.165|sip  |4|00|[TLS] Server Certificate SAN or CN validation failed
1724612.165|sip  |4|00|MakeTlsConnection: connection failed error 1

In the above name the Common name did not match the hostname.

 

We can get around this utilizing this Parameter:

 

sec.TLS.SIP.strictCertCommonNameValidation="0"

This can also be set on newer versions via the Web Interface Settings > Network > TLS:

CommonName.PNG

 

Changing the default Cypher.

 

By factory we currently use:

 

ALL:!aNULL:!eNULL:!DSS:!SEED:!ECDSA:!IDEA:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:!RC4:@STRENGTH

In order to change as an example the Platform Profile 1:

 

<test device.set="1" 
	device.sec.TLS.profile.cipherSuiteDefault1.set="1" 
	device.sec.TLS.profile.cipherSuiteDefault1="0" 
	device.sec.TLS.profile.cipherSuite1.set="1"
	device.sec.TLS.profile.cipherSuite1="ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"/>

The above forces as an example TLS 1.2

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.