• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The Poly Phones Knowledge Base is live! We look forward to helping you with common issues and troubleshooting advice!
HP Recommended

The example below is based on Digium Asterisk 1.8. Polycom cannot provide support on Asterisk

 

Below was tested with a VVX500 running UCS 4.1.3

 

Source for certificate creation => here <=

 

NOTE: Please contact your SIP Platform provider or your Polycom reseller for any support queries! Knowledge in Linux and Asterisk is required.

 

Step 1 Creating a Server Key on the Asterisk server:

 

  • type cd /etc/asterisk and hit enter
  • type mkdir certificates (we create a new sub directory)
  • type cd certificates and hit enter
  • type openssl genrsa -out key.pem 1024 and hit enter
  • The key.pem is your server key
  • type openssl req -new -key key.pem -out request.pem and hit enter

    You will now be prompted for several self explanatory questions

    IMPORTANTCommon name - This *NEEDS* to be the FQDN name or IP address of your server

We now sign our own certificate by running the following command:

 

  • type openssl x509 -req -days 3650 -in request.pem -signkey key.pem -out certificate.pem and hit enter

    The certificate.pem is your new client certificate that will last for 10 years (3650 days)

  • type 

    cp certificate.pem asterisk.something.com.pem 

    and hit enter

    cat key.pem >> asterisk.something.com.pem

    and hit enter

    Above created a file containing the server key, a certificate, and a certificate "chain" file. 

    Noteasterisk.something.com.pem could also just be IP_Address_Of_Server.pem

Step 2 changing the Asterisk configuration

 

Example sip.conf

 

tlsenable=yes
tlsbindaddr=192.168.0.1 (put your actual ip address of your box here)
tlscertfile=/etc/asterisk/certificates/asterisk.something.com.pem
tlsdontverifyserver=no
tlscipher=DES-CBC3-SHA
tlsclientmethod=tlsv1

 and in addition within the context of an individual phone add the tls option:

 

[3090]
host=dynamic
type=friend
username=3090
secret=3090
callerid="Steffen 11" <3090>
progressinband=no
callgroup=2
pickupgroup=2
call-limit=10
mailbox=3090
transport=tls

 

After above steps reload Asterisk

 

Step 3 Importing the certificate to the phone:

 

 

The Platform CA certificate 1 has a size restriction of 1536 bytes but platform the CA certificate 2 is higher at 4096 bytes.

 

The size restriction is for legacy software backwards compatibility so customers downgrading from 4.x.x will be able to retain the platform 1 certificate due to the fact that older software only allowed 1 custom CA certificate of size 1536 bytes.

 

  • We copy the newly created client certificate to the www directory on the Asterisk server via:

    cp certificate.pem /var/www/html/polycom

  • We import the certificate.pem to the phone via the Web Interface:

    image

    Type the source address of the certificate.pem and click on Install

  • The certificate is now imported:

    image


  • The certificate is now part of the phone configuration:

    image

    0209142147|tls  |*|00|Saving new Custom platform CA certificate 1 
    0209142147|tls  |*|00|New Certificate Common Name '10.252.75.203' Fingerprint 'E3:E4:08:88:23:05:DE:D1:6A:3D:21:5C:9E:03:D3:60:86:7F:24:0C'
    0209142147|tls  |*|00|No previous certificate stored


    NOTE: If the certificate cannot be hosted on a server it can be imported via the Web instead using Interface Utilities > Import & Export Configuration > Import Configuration

    Example:

    <web device.set="1" 
    	device.sec.TLS.customCaCert2.set="1"
    	device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----
    MIIDmzCCAoOgAwIBAgIQb8NsaDS544FB4ejodIhkADANBgkqhkiG9w0BAQUFADBU
    MRMwEQYKCZImiZPyLGQBGRYDbGFiMRowGAYKCZImiZPyLGQBGRYKc2JhaWVyaG9t
    ZTEhMB8GA1UEAxMYc2JhaWVyaG9tZS1MWU5DTEFCMURDLUNBMB4XDTE1MDIyNTE2
    NTIzNVoXDTIwMDIyNTE3MDIzM1owVDETMBEGCgmSJomT8ixkARkWA2xhYjEaMBgG
    CgmSJomT8ixkARkWCnNiYWl1234512UxITAfBgNVBAMTGHNiYWllcmhvbWUtTFlO
    Q0xBQjFEQy1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANnOj3I9
    EZk6zEk+Kvh3oENoDkm8dmqzAWFeRAH5+lOA32oLBLpAL0KcyKqy74JvVACMB6O+
    TFZsKJD2E7juypmH+/PESsiA/tT/sHwHTm9LDTLXE5M3U+tk1V2NK2Vh6/qcOobT
    Rw9ahy0eNAKF6gbYJhUWtFHzD+D6W9cqKNm+8TEAq0AjrM5d6hAfemPp2ujNX2i/
    MbmNzdaClaLVdEchmo73w9mbcgPdpP3pniuVtjAHsVGsn/LvaJkKHhaQyy1n1gRe
    Hx5m5k9cSgVhS2ErgIM/zeeywBtO/jVRPRKM5e2ankHkVBAl5qwZUZS9KPYY1eF7
    gjarZLhDsUGk4vECAwEAAaNpMGcwEwYJKwYBBAGCNxQCBAYeBABDAEEwDgYDVR0P
    AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDSuIDNZzxycYm2D
    TdvGoODxAyBMMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQA9
    RBMvY+ACZtYTS5pJiQdJkXAtyCJxMwEWotbKReU/NTtL7vkLcHUxD2s0FE65RV81
    QKknt5nalJnIAlYfNx6QBIBrPRsrVFNj6jdBCE7rGHKmnEcrS7xaF16zdgEoa7Gi
    rrn4gqCFKQwzefra+STCuHlJGwqs+HgYvdGOQE+EPvf/w7GARlpoSF+4KiaHStPu
    xOC/c995glbvGfPD2irv5La352cmpzCc7yYHRRweuW/tQ7Dgrv+qvjAKnwDz5sBh
    2R0IpNqZxnPi/mm06iBYGKEyaYa72ATwGhtGy56jceAvZqw9515kxVes2Pb32hKN
    WHOVLRfPFLfFu5ansXpP
    -----END CERTIFICATE-----" />
  • Change the Port from standard 0 (5060) to 5061

  • Change the Transport from DNSnaptr to TLS

    image

  • The change is now part of the phone configuration:

    image

 

Step 4 Troubleshooting using Wireshark:

 

  • Within Wireshark click on Edit => Preferences => Protocols => SSL => RSA keys list => Edit

    image

 

  • Add a New Key

    image
    IP address is the IP of the Server (Asterisk)
    Port is 5061
    Protocol is SIP
    Key file would be the key.pem file created above

  • Confirm all by Apply and OK

  • Start the Wireshark trace and reboot the phone so the handshake is captured

  • Make a call

  • Wireshark will now display the SIP messages

    image

  • Right-clicking on a TLS will allow following the SSL stream

    image

    and show the SIP messaging

    image


Step 5 Using Polycom logs to troubleshoot TLS issues

 

  • Set the relevant logging levels:

    image

    Settings > Logging > Global Settings > Global Log Level Limit > Debug
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > VVX/SPIP/SSIP prior to 5.5.0 = 180
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > Trio 8300 & VVX after 5.5.0 = 1000
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > Trio or CCX 10240
    Settings > Logging > Module Log Level Limits > SIP > Debug
    Settings > Logging > Module Log Level Limits > TLS > Debug

  • Check the Logs:
    1206175452|sip  |2|00|MakeTlsConnection: SSL_connect OK : TLS Handshake completed successfully
    1206175452|sip  |3|00|[TLS] Validating Subject Alternative Name(s) (SAN) and Common Name (CN) against the following:
    1206175452|sip  |3|00|[TLS]            Hostname: 10.252.122.122
    1206175452|sip  |3|00|[TLS]      Outbound Proxy: 10.252.122.122
    1206175452|sip  |3|00|[TLS] Hostname connection: NONE
    1206175452|sip  |3|00|[TLS] Attempting to validate certificate Common Name (CN)
    1206175452|sip  |3|00|[TLS] Certificate Common Name matches server host: '10.252.122.122'
    1206175452|sip  |3|00|[TLS] Server Certificate SAN or CN validation success. SSL verify result 0
    1206175452|sip  |1|00|MakeTlsConnection: post_connection_checks passed
    1206175452|sip  |3|00|MakeTlsConnection: connection succeeded

Errors:

 

 

 

1724612.165|sip  |4|00|[TLS] Server Certificate Common Name 'name' doesn't match any of the following:
1724612.165|sip  |4|00|[TLS]            Hostname: 10.20.30.40
1724612.165|sip  |4|00|[TLS]      Outbound Proxy: 10.20.30.40
1724612.165|sip  |4|00|[TLS] Hostname connection: NONE
1724612.165|sip  |4|00|[TLS] Server Certificate SAN or CN validation failed
1724612.165|sip  |4|00|MakeTlsConnection: connection failed error 1

 

 

 

In the above, the Common name did not match the hostname.

 

We can get around this utilizing this Parameter:

 

sec.TLS.SIP.strictCertCommonNameValidation="0"

This can also be set on newer versions via the Web Interface Settings > Network > TLS:

image

 

Changing the default Cypher.

 

By factory we currently use:

 

ALL:!aNULL:!eNULL:!DSS:!SEED:!ECDSA:!IDEA:!MEDIUM:!LOW:!EXP:!ADH:!ECDH:!PSK:!MD5:!RC4:@STRENGTH

In order to change as an example the Platform Profile 1:

 

 

 

<web device.set="1" 
	device.sec.TLS.profile.cipherSuiteDefault1.set="1" 
	device.sec.TLS.profile.cipherSuiteDefault1="0" 
	device.sec.TLS.profile.cipherSuite1.set="1"
	device.sec.TLS.profile.cipherSuite1="ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"/>

 

 

 

 

The above forces as an example TLS 1.2

 

Decrypting a Wireshark Trace if the Certificate cannot be shared:

 

Usually, if a Customer can provide a trace but cannot share the certificate used to decrypt the trace they can share the session key instead.

 

Following above Step 4 simply ask the Customer to go to Wireshark, select File > Export SSL Session Keys, and save the file
image

 

Then open the Customer trace and then in Wireshark  Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename, and select the exported Session Keys

image

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.