Plantronics + Polycom. Now together as Poly Logo

[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

Polycom Employee & Community Manager

[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

The example below is based on Digium Asterisk 1.8. Polycom cannot provide support on Asterisk


Below was tested with a VVX500 running UCS 4.1.3


Source for certificate creation => here <=


NOTE: Please contact your SIP Platform provider or your Polycom reseller for any support queries! Knowledge in Linux and Asterisk is required.


Step 1 Creating a Server Key on the Asterisk server:


  • type cd /etc/asterisk and hit enter
  • type mkdir certificates (we create a new sub directory)
  • type cd certificates and hit enter
  • type openssl genrsa -out key.pem 1024 and hit enter
  • The key.pem is your server key
  • type openssl req -new -key key.pem -out request.pem and hit enter

    You will now be prompted for several self explanatory questions

    IMPORTANTCommon name - This *NEEDS* to be the FQDN name or IP address of your server

We now sign our own certificate by running the following command:


  • type openssl x509 -req -days 3650 -in request.pem -signkey key.pem -out certificate.pem and hit enter

    The certificate.pem is your new client certificate that will last for 10 years (3650 days)

  • type 

    cp certificate.pem 

    and hit enter

    cat key.pem >>

    and hit enter

    Above created a file containing the server key, a certificate, and a certificate "chain" file. could also just be IP_Address_Of_Server.pem

Step 2 changing the Asterisk configuration


Example sip.conf


tlsbindaddr= (put your actual ip address of your box here)

 and in addition within the context of an individual phone add the tls option:


callerid="Steffen 11" <3090>


After above steps reload Asterisk


Step 3 Importing the certificate to the phone:



The Platform CA certificate 1 has a size restriction of 1536 bytes but platform the CA certificate 2 is higher at 4096 bytes.


The size restriction is for legacy software backwards compatibility so customers downgrading from 4.x.x will be able to retain the platform 1 certificate due to the fact that older software only allowed 1 custom CA certificate of size 1536 bytes.


  • We copy the newly created client certificate to the www directory on the Asterisk server via:

    cp certificate.pem /var/www/html/polycom

  • We import the certificate.pem to the phone via the Web Interface:

    import PEM certificate.PNG

    Type the source address of the certificate.pem and click on Install

  • The certificate is now imported:

    import PEM certificate_01.PNG

  • The certificate is now part of the phone configuration:


    0209142147|tls  |*|00|Saving new Custom platform CA certificate 1 
    0209142147|tls  |*|00|New Certificate Common Name '' Fingerprint 'E3:E4:08:88:23:05:DE:D1:6A:3D:21:5C:9E:03:D3:60:86:7F:24:0C'
    0209142147|tls  |*|00|No previous certificate stored
  • Change the Port from standard 0 (5060) to 5061

  • Change the Transport from DNSnaptr to TLS

    import PEM certificate_03.PNG

  • The change is now part of the phone configuration:

    import PEM certificate_04.PNG

Step 4 Troubleshooting using Wireshark:


  • Within Wireshark click on Edit => Preferences => Protocols => SSL => RSA keys list => Edit

    import PEM certificate_05.PNG


  • Add a New Key

    import PEM certificate_06.PNG
    IP address is the IP of the Server (Asterisk)
    Port is 5061
    Protocol is SIP
    Key file would be the key.pem file created above

  • Confirm all by Apply and OK

  • Start the Wireshark trace and reboot the phone so the handshake is captured

  • Make a call

  • Wireshark will now display the SIP messages

    import PEM certificate_07.PNG

  • Right clicking on a TLS will allow to follow the SSL stream

    import PEM certificate_08.PNG

    and show the SIP messaging

    import PEM certificate_09.PNG

Step 5 Using Polycom logs to troubleshoot TLS issues


  • Set the relevant logging levels:


  • Check the Logs:

    1206175452|sip  |2|00|MakeTlsConnection: SSL_connect OK : TLS Handshake completed successfully
    1206175452|sip  |3|00|[TLS] Validating Subject Alternative Name(s) (SAN) and Common Name (CN) against the following:
    1206175452|sip  |3|00|[TLS]            Hostname:
    1206175452|sip  |3|00|[TLS]      Outbound Proxy:
    1206175452|sip  |3|00|[TLS] Hostname connection: NONE
    1206175452|sip  |3|00|[TLS] Attempting to validate certificate Common Name (CN)
    1206175452|sip  |3|00|[TLS] Certificate Common Name matches server host: ''
    1206175452|sip  |3|00|[TLS] Server Certificate SAN or CN validation success. SSL verify result 0
    1206175452|sip  |1|00|MakeTlsConnection: post_connection_checks passed
    1206175452|sip  |3|00|MakeTlsConnection: connection succeeded



1724612.165|sip  |4|00|[TLS] Server Certificate Common Name 'name' doesn't match any of the following:
1724612.165|sip  |4|00|[TLS]            Hostname:
1724612.165|sip  |4|00|[TLS]      Outbound Proxy:
1724612.165|sip  |4|00|[TLS] Hostname connection: NONE
1724612.165|sip  |4|00|[TLS] Server Certificate SAN or CN validation failed
1724612.165|sip  |4|00|MakeTlsConnection: connection failed error 1

In the above name the Common name did not match the hostname.


We can get around this utilizing this Parameter:



This can also be set on newer versions via the Web Interface Settings > Network > TLS:



Changing the default Cypher.


By factory we currently use:



In order to change as an example the Platform Profile 1:


<test device.set="1" 

The above forces as an example TLS 1.2


Decrypting a Wireshark Trace if the Certificate cannot be shared:


Usually if a Customer can provide a trace but cannot share the certificate used to decrypt the trace they can share the session key instead.


Following above Step 4 simply ask the Customer to go to Wireshark, select File > Export SSL Session Keys, and save the file


Then open the Customer trace and then in Wireshark  Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename, and select the exported Session Keys


<======== Signature / Disclaimer ========>
Please be aware:For questions about the type of support to expect please check here

Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

The title Polycom Employee & Community Manager is an automatic setting within the community and any forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Poly employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and maybe answered on weekends, bank holidays or personal holidays.