• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The Poly Phones Knowledge Base is live! We look forward to helping you with common issues and troubleshooting advice!
HP Recommended

Hi, we have updated SSL certificates on our prov. server and many phones are not able to connect to it via HTTS protocol afterwards.

In the phone logs we see lines like:

201154800|curl |3|00| CAfile: /ffs0/ca1.crt
CApath: none
0201154800|curl |3|00|SSLv3, TLS Unknown, Unknown (22):
0201154800|curl |3|00|SSLv3, TLS handshake, Client hello (1):
0201154800|curl |3|00|SSLv2, Unknown (22):
0201154800|curl |3|00|SSLv3, TLS handshake, Server hello (2):
0201154800|curl |3|00|SSLv2, Unknown (22):
0201154800|curl |3|00|SSLv3, TLS handshake, CERT (11):
0201154800|curl |3|00|SSLv2, Unknown (21):
0201154800|curl |3|00|SSLv3, TLS alert, Server hello (2):

0201154800|curl |3|00|SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
0201154800|curl |3|00|Closing connection #0

This happens with several VVX models - VVX 300, 301,  400, 410, 500, 501 running different software versions - 5.5.1, 5.9.5, 6.2.0 and even 6.4.2

 

It looks like those phones don't recognize the cert we have on our provisioning server.

However upgrading the firmware does help in some cases, i.e.  on VVX 410 from 5.9.5 to 5.9.8 helped, the phone was able to acknowledge the cert on the server ("CN=Sectigo RSA Domain Validation Secure Server CA. SSL certificate verify ok"

 

We have also tried importing cert (I believe it's from CN=ISRG Root X1) 

as suggested in this post https://h30434.www3.hp.com/t5/Desk-and-IP-Conference-Phones/Provisioning-fails-with-letsencript-cert...  but we were getting the same SSL issue

 

I'm wondering whether newer FW versions could have better support for SSL certificates, and what certificate could we import on the phones to resolve it without firmware upgrade?

 

Thank you

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

Hello @Voiponaught2024 ,

 

First of all, just to clarify, I do work for HP Poly but my day role is in support and not in documentation or working the community. All of this is in my spare time outside any involvement of my employer.

 

I am just a volunteer in this community and I am an enthusiast and therefore created most of the FAQ posts. At some point, we tried to add this data into an internal Poly knowledge base to have central information. This has now been retired so this is gone for now. 

 

I am trying to get this back somehow but for now the links are dead. None of my answers, replies or FAQ articles are official and therefore the HP Support Page should be consulted for official guides.

 

To answer your actual question, Poly used to host with major software versions a spare document labeled Certificate Updates for Polycom®
UC Software. A google search may find >these<. With the move to HP some of this information is not yet populated or may never be reinstated.

 

I have therefore attached the ones I had locally stored so if anyone else finds this post and is looking for them they can find them. I also add the ones that could be found via Google so they are not lost. I do not have the official 5.5.1 or 5.8.0 but made copies of the certs in the software so I also attached PDF's for these.

 

For any follow up questions, if no other volunteer replies, or official information on Poly support I suggest you contact our Support organization in your region. Details are in my Signature.

 

Best Regards

 

Steffen Baier

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN

View solution in original post

8 REPLIES 8
HP Recommended

hi, just following up on this topic.

I've tried importing the same cert we have on our provisioing server and we are getting the same error (even though Poly and server should have the same cert )

 

Seems like most recent firmware versions don't have this issue, but I'm wondering why importing cert is not allowing the phone  to communicate with the server and getting the same "SSL_connect error Peer certificate cannot be authenticated with known CA certificates."?

 

Thank you!

HP Recommended

Hello @Voiponaught2024 ,

 

welcome to the HP Poly community.

 

You do mention you import a certificate but you do not state if you selected this to be used rather than the built-in certificates that come with the firmware version. The easiest way to verify this would be via a Wireshark trace so you can "see" what Cert is being used in the communication.

 

In the past, I created a FAQ for FTPS >here< which shows the error you describe. I did a similar post >here< for HTTPS

 

Via the Web Interface Settings > Network > TLS > SSL Certificates would list the built-in certificates and their validity.

 

Best Regards

 

Steffen Baier

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Hi, Steffen!

 

Thank you for response.

 

I've actually found a thread that was describing similar issue - https://h30434.www3.hp.com/t5/Desk-and-IP-Conference-Phones/ucs-4-0-15-1009-AAA-Certificate-Services...

 

The cert we've put on our server was also signed by  Sectigo RSA Domain Validation Secure Server CA > USERTrust RSA Certification Authority > AAA Certificate Services.

 

Earlier I've tired importing Sectigo and USERTrust certificates and those didn't work, but then I imported the root "AAA Certificate services" (Comodo) and the same phones started HTTPS communication:

 

curl |3|00|SSLv3, TLS handshake, Client hello (1):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Server hello (2):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, CERT (11):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Server key exchange (12):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Request CERT (13):
curl |3|00|SSLv3, TLS handshake, Server finished (14):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, CERT (11):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Client key exchange (16):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, CERT verify (15):
curl |3|00|SSLv2, Unknown (20):
curl |3|00|SSLv3, TLS change cipher, Client hello (1):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Finished (20):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Unknown (4):
curl |3|00|SSLv2, Unknown (20):
curl |3|00|SSLv3, TLS change cipher, Client hello (1):
curl |3|00|SSLv2, Unknown (22):
curl |3|00|SSLv3, TLS handshake, Finished (20):
curl |3|00|SSL connection using ECDHE-RSA-AES128-GCM-SHA256
curl |3|00|Server certificate:
curl |3|00| subject: CN=...


curl |3|00| subjectAltName: ...  matched
curl |3|00| issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
0206214239|curl |3|00| SSL certificate verify ok. 

 

Note: I wish TLS logging set at the debug level would hint that the issue was the root certificate. Unfortunately remote pcap doesn't work on OS we use, and only some newer OBi-edition firmware  versions allow to run it on the phone.

 

I suspect that this root Comodo's certificate is not present at firmware versions prior to 5.9.5.

As you post mentions, since UC software version  5.9.0 we can check built-in certificates (but we can't see those in older FW versions like 5.8.x that we had troubles with).

 

One of your posts suggested that  firmware 4.1.0 does have "AAA Certificate Services" by COMODO, however this firmware is for Skype for Business and most of 5.x versions (until 5.9.6 or 5.9.7) don't have it.  Version 4.0.5 must have had it too.

 

I've checked several admin guides for VVX phones I've got (for versions 5.4, 5.5, 5.8, 5.9 and 6.x), most don't list built-in certificates. Some admin guides have a section "Trusted Certificate Authority List" which just  mentions "to find the list of supported CAs for your UC Software version, see Certificate Updates for Polycom UC Software – Technical Update for your UC Software version at Voice Support", but since documentation has moved to HP website - I'm no longer able to find much for VVX line of phones (except 150/250/350/450).

 

So my question is whether there is  an easy way to  find a list of built-in certificates for firmware prior to 5.9.0?

And why this Comodo's root certiificate was present in earlier 4.x version, then was gone, and then was added around 5.9.7 version?

 

What's the best signing root cert to use going forward (as you know, they expire each year) to avoid that current firmware version would be able to trust it?

 

HP Recommended

Hi, just following up where I could find a full list of root certificates that are included into UC software of the following versions:

5.9.5

5.8.0

5.5.1

 

Unfortunately related Admin Guides I have obtained in the past from Poly website don't have that information.

Alternatively is there a common root certificate that is contained in all 5.x versions so it would be easier for us to look for the appropriate certificate for our prov. server?

 

Thank you!

HP Recommended

Hello @Voiponaught2024 ,

 

welcome back to the HP Poly community.

 

Our VoIP FAQ contains this FAQ post:

 

Jan 27, 2015 Question:How can I verify the certificate validity period used with the Poly VVX / CCX / Trio Phone software?

Resolution: Please check this post => here <=

 

The above no longer links to a valid document as due to the change from Polycom\Poly to no HP this platform has retired.

 

Using the Web Interface, using a phone that supports this, simply browse to Settings > Network > TLS > SSL Certificates

SteffenBaierUK_0-1708676142811.png

The above lists all the built-in certificates and their validity etc.

 

If no other volunteer replies I suggest you contact our Support organization in your region. Details are in my Signature.

 

Best Regards

 

Steffen Baier

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Hi Steffen!

Thank you for the prompt response.

 

Suggested option to check existing certificates is only available since 5.9.0 , it's mentioned in the article you've kindly mentioned earlier:  https://h30434.www3.hp.com/t5/Desk-and-IP-Conference-Phones/FAQ-How-can-I-setup-my-Phone-Provisionin...

 

We have VVX phones running older FW. versions  5.8.0,  5.5.1, 5.4.1 where we can't check this via phones' Web UI unfortunately, that is why I'm looking for documenation.

 

You've also mentioned " due to the change from Polycom\Poly to no HP this platform has retired." - does it mean VVX line (with the exception of VVX  x50s) won't have any documentation going forward? There are millions of those phones in the field and I suppose many service providers would be interested to have access to information about those phones.

 

Thank you for the tip, I'm trying to contact your support team

HP Recommended

Hello @Voiponaught2024 ,

 

First of all, just to clarify, I do work for HP Poly but my day role is in support and not in documentation or working the community. All of this is in my spare time outside any involvement of my employer.

 

I am just a volunteer in this community and I am an enthusiast and therefore created most of the FAQ posts. At some point, we tried to add this data into an internal Poly knowledge base to have central information. This has now been retired so this is gone for now. 

 

I am trying to get this back somehow but for now the links are dead. None of my answers, replies or FAQ articles are official and therefore the HP Support Page should be consulted for official guides.

 

To answer your actual question, Poly used to host with major software versions a spare document labeled Certificate Updates for Polycom®
UC Software. A google search may find >these<. With the move to HP some of this information is not yet populated or may never be reinstated.

 

I have therefore attached the ones I had locally stored so if anyone else finds this post and is looking for them they can find them. I also add the ones that could be found via Google so they are not lost. I do not have the official 5.5.1 or 5.8.0 but made copies of the certs in the software so I also attached PDF's for these.

 

For any follow up questions, if no other volunteer replies, or official information on Poly support I suggest you contact our Support organization in your region. Details are in my Signature.

 

Best Regards

 

Steffen Baier

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Thank you, Steffen!

That's very helpful!!!

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.