• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
Locked

‎10-10-2016 05:29 AM

HP Recommended

 

Technical Bulletin TB37148 describes the way Polycom phones are submitted Certificate Signing Requests (CSR) through the web / provisioning server.

 

In step 3, on page 7, it states "A message ‘CSR generation completed’ displays on the phone’s screen. The CSR file (<MAC
Address>.csr) and the private key file (<MAC Address >-private.key) are uploaded to the provisioning server. The public key (the other part of the key pair generated by the phone) is included in the CSR."

 

I tested this workflow and observed that the phone really does try to send the private key to the web server.

 

a) sending the private key out of the phone is a security risk.  It could be sniffed by a man-in-the-middle or a proxy server.  Copies of the key may be accidentally left on the web server, some administrators may not even realize they are there, because no other correctly implemented CSR workflow does anything like this, it is completely unexpected behavior

 

b) it is not necessary to send the private key to the server anyway - all the information needed to create a certificate is actually included in the CSR.  Only the CSR should be sent to the web server.

 

 

3 REPLIES 3

‎10-13-2016 06:58 AM

HP Recommended

 

Is anybody able to comment on this issue?  Is there any workaround or will it be fixed in the next firmware releases?

Was this reply helpful? Yes No

‎10-13-2016 07:15 AM

HP Recommended

Hello pockock ,

this was internally raised via VOIP-121344 and will be added to future software versions.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
Was this reply helpful? Yes No

‎10-13-2016 07:54 AM

HP Recommended

 

As well as fixing this issue, could you ask the developers to automatically fill out the CN field in the CSR form?  It would be really convenient to have the MAC address appear automatically.  As it relates very closely to this issue, it can probably be implemented and tested as part of the same release cycle.

Was this reply helpful? Yes No
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.

Didn't find what you were looking for? Ask the community

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.