Plantronics + Polycom. Now together as Poly Logo

[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

Highlighted
Polycom Employee & Community Manager

[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

The example below is based on Digium Asterisk 1.8. Polycom cannot provide support on Asterisk

 

Below was tested with a VVX500 running UCS 4.1.3

 

Source for certificate creation => here <=

 

NOTE: Please contact your SIP Platform provider or your Polycom reseller for any support queries! Knowledge in Linux and Asterisk is required.

 

Step 1 Creating a Server Key on the Asterisk server:

 

  • type cd /etc/asterisk and hit enter
  • type mkdir certificates (we create a new sub directory)
  • type cd certificates and hit enter
  • type openssl genrsa -out key.pem 1024 and hit enter
  • The key.pem is your server key
  • type openssl req -new -key key.pem -out request.pem and hit enter

    You will now be prompted for several self explanatory questions

    IMPORTANTCommon name - This *NEEDS* to be the FQDN name or IP address of your server

We now sign our own certificate by running the following command:

 

  • type openssl x509 -req -days 3650 -in request.pem -signkey key.pem -out certificate.pem and hit enter

    The certificate.pem is your new client certificate that will last for 10 years (3650 days)

  • type 

    cp certificate.pem asterisk.something.com.pem 

    and hit enter

    cat key.pem >> asterisk.something.com.pem

    and hit enter

    Above created a file containing the server key, a certificate, and a certificate "chain" file. 

    Noteasterisk.something.com.pem could also just be IP_Address_Of_Server.pem

Step 2 changing the Asterisk configuration

 

Example sip.conf

 

tlsenable=yes
tlsbindaddr=192.168.0.1 (put your actual ip address of your box here)
tlscertfile=/etc/asterisk/certificates/asterisk.something.com.pem
tlsdontverifyserver=no
tlscipher=DES-CBC3-SHA
tlsclientmethod=tlsv1

 and in addition within the context of an individual phone add the tls option:

 

[3090]
host=dynamic
type=friend
username=3090
secret=3090
callerid="Steffen 11" <3090>
progressinband=no
callgroup=2
pickupgroup=2
call-limit=10
mailbox=3090
transport=tls

 

After above steps reload Asterisk

 

Step 3 Importing the certificate to the phone:

 

 

The Platform CA certificate 1 has a size restriction of 1536 bytes but platform the CA certificate 2 is higher at 4096 bytes.

 

The size restriction is for legacy software backwards compatibility so customers downgrading from 4.x.x will be able to retain the platform 1 certificate due to the fact that older software only allowed 1 custom CA certificate of size 1536 bytes.

 

  • We copy the newly created client certificate to the www directory on the Asterisk server via:

    cp certificate.pem /var/www/html/polycom

  • We import the certificate.pem to the phone via the Web Interface:

    import PEM certificate.PNG

    Type the source address of the certificate.pem and click on Install

  • The certificate is now imported:

    import PEM certificate_01.PNG


  • The certificate is now part of the phone configuration:

    TLS_DeviceSnippet.PNG

    0209142147|tls  |*|00|Saving new Custom platform CA certificate 1 
    0209142147|tls  |*|00|New Certificate Common Name '10.252.75.203' Fingerprint 'E3:E4:08:88:23:05:DE:D1:6A:3D:21:5C:9E:03:D3:60:86:7F:24:0C'
    0209142147|tls  |*|00|No previous certificate stored

     

  • Change the Port from standard 0 (5060) to 5061

  • Change the Transport from DNSnaptr to TLS

    import PEM certificate_03.PNG

  • The change is now part of the phone configuration:

    import PEM certificate_04.PNG

Step 4 Troubleshooting using Wireshark:

 

  • Within Wireshark click on Edit => Preferences => Protocols => SSL => RSA keys list => Edit

    import PEM certificate_05.PNG

 

  • Add a New Key

    import PEM certificate_06.PNG
    IP address is the IP of the Server (Asterisk)
    Port is 5061
    Protocol is SIP
    Key file would be the key.pem file created above

  • Confirm all by Apply and OK

  • Start the Wireshark trace and reboot the phone so the handshake is captured

  • Make a call

  • Wireshark will now display the SIP messages

    import PEM certificate_07.PNG

  • Right-clicking on a TLS will allow following the SSL stream

    import PEM certificate_08.PNG

    and show the SIP messaging

    import PEM certificate_09.PNG


Step 5 Using Polycom logs to troubleshoot TLS issues

 

  • Set the relevant logging levels:

    SIP_Debug_Overall_Debug_LogSize_1000.png

    Settings > Logging > Global Settings > Global Log Level Limit > Debug
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > VVX/SPIP/SSIP prior to 5.5.0 = 180
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > Trio 8300 & VVX after 5.5.0 = 1000
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > Trio or CCX 10240
    Settings > Logging > Module Log Level Limits > SIP > Debug


  • Check the Logs:
    1206175452|sip  |2|00|MakeTlsConnection: SSL_connect OK : TLS Handshake completed successfully
    1206175452|sip  |3|00|[TLS] Validating Subject Alternative Name(s) (SAN) and Common Name (CN) against the following:
    1206175452|sip  |3|00|[TLS]            Hostname: 10.252.122.122
    1206175452|sip  |3|00|[TLS]      Outbound Proxy: 10.252.122.122
    1206175452|sip  |3|00|[TLS] Hostname connection: NONE
    1206175452|sip  |3|00|[TLS] Attempting to validate certificate Common Name (CN)
    1206175452|sip  |3|00|[TLS] Certificate Common Name matches server host: '10.252.122.122'
    1206175452|sip  |3|00|[TLS] Server Certificate SAN or CN validation success. SSL verify result 0
    1206175452|sip  |1|00|MakeTlsConnection: post_connection_checks passed
    1206175452|sip  |3|00|MakeTlsConnection: connection succeeded

Errors:

 

1724612.165|sip  |4|00|[TLS] Server Certificate Common Name 'name' doesn't match any of the following:
1724612.165|sip  |4|00|[TLS]            Hostname: 10.20.30.40
1724612.165|sip  |4|00|[TLS]      Outbound Proxy: 10.20.30.40
1724612.165|sip  |4|00|[TLS] Hostname connection: NONE
1724612.165|sip  |4|00|[TLS] Server Certificate SAN or CN validation failed
1724612.165|sip  |4|00|MakeTlsConnection: connection failed error 1

 

In the above, the Common name did not match the hostname.

 

We can get around this utilizing this Parameter:

 

sec.TLS.SIP.strictCertCommonNameValidation="0"

This can also be set on newer versions via the Web Interface Settings > Network > TLS:

CommonName.PNG

 

Changing the default Cypher.

 

By factory we currently use:

 

ALL:!aNULL:!eNULL:!DSS:!SEED:!ECDSA:!IDEA:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:!RC4:@STRENGTH

In order to change as an example the Platform Profile 1:

 

<web device.set="1" 
	device.sec.TLS.profile.cipherSuiteDefault1.set="1" 
	device.sec.TLS.profile.cipherSuiteDefault1="0" 
	device.sec.TLS.profile.cipherSuite1.set="1"
	device.sec.TLS.profile.cipherSuite1="ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"/>

 

 

The above forces as an example TLS 1.2

 

Decrypting a Wireshark Trace if the Certificate cannot be shared:

 

Usually, if a Customer can provide a trace but cannot share the certificate used to decrypt the trace they can share the session key instead.

 

Following above Step 4 simply ask the Customer to go to Wireshark, select File > Export SSL Session Keys, and save the file
SessionKey.jpeg

 

Then open the Customer trace and then in Wireshark  Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename, and select the exported Session Keys

SessionKey_02.png

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's