No need for mutual authentication that is why putting the Polycom CA
into sipX is not documented in the wiki. However, it should also work
if you push the correct Polycom CA into sipX. Feel free to update the
wiki if you get it working.
On 04/13/2011 10:19 PM, Staffan Kerker wrote:
I've installed the following chain of Polycom CAs in SipX (not via GUI
though) downloaded from http://pki.polycom.com/pki/
Polycom Root CA.crt <http://pki.polycom.com/pki/Polycom%20Root%20CA.crt>
Polycom Equipment Policy CA.crt
<http://pki.polycom.com/pki/Polycom%20Equipment%20Policy%20CA.crt>
Polycom Equipment Issuing CA 1.crt
<http://pki.polycom.com/pki/Polycom%20Equipment%20Issuing%20CA%201.crt>
Maybe I shall install the last one as well, the "Polycom Issuing CA
2". I've also, as mentioned, installed the SipX self-signed CA onto
the Polycom phone using the info in the SipX Wiki. The Wiki does not
describe the procedure of installing the Polycom Root CA in order to
use TLS. It only talks about getting the SipX CA cert onto the Polycom
phone. What is required? Do we really use mutual TLS authentication,
or only server based authentication (client authenticates server by
installing the CA cert of SipX)?
Is anyone running SIP over TLS for Polycom phones?
//Staffan
On 13 apr 2011, at 15.08, Joegen Baclor wrote:
I have proposed being able to upload phone CA via the config. I know
there are several CA for Polycom as documented in the site. Decrypt
Error seems to indicate that you have uploaded the wrong CA signature
than what your phone is sending. We need to pull some strings in
Polycom to get into the bottom of this. Perhaps one with
subscription support?
On 04/13/2011 07:58 PM, Staffan Kerker wrote:
Hi all,
I'm trying to get TLS working properly between the connected endpoints (Polycom
Soundpoint IP335) and the SipXproxy. No firewalls/NAT or anything inbetween.
I'm running v3.2.5 on the Polycoms and SipXecs version 4.4.0-
2011-04-01EDT23:24:23 domU-12-31-39-0E-DD-81
I have followed the guide provided on the Wiki
(http://wiki.sipfoundry.org/display/sipXecs/Installing+the+Root+CA+Server+Certificate+on+the+Polycom+Phone)
and
(http://wiki.sipfoundry.org/display/sipXecs/Polycom+Phone+using+sipXecs+TLS+transport)
but still, no sucess. The polycom UI tells me that the SipX CA ceritifate is
installed
successfully on the phone and I've tried both using "All Certificates" and "Custom
Certificates" in the Polycom settings.
However, no TLS. I look at the Wireshark traces and notice the the TLS
handshake is failing since (as far as I understand it) the Polycom is not
sending the correct client certificate to the
server. After server has sent Certificate, Certificate Request and
ServerHelloDone, the Polycom responds with a Certificate message containing the
Polycom certificates, not the by SipX
generated (and on the Polycom installed) certificate. This ends with a Fatal
Error and the Polycom falls back to TCP.
First, the error was "Unknown CA" but after installing the Polycom chain of root CA on
SipX, it's now "Decrypt Error"... But the guide says nothing about the need to install
the Polycom device
Root CA on the SipX server in this situation.
I'm confused... and would be very happy with some guidance...
//Staffan
--
Staffan Kerker
mail/sip/xmpp:staf...@kerker.se
"Don't get involved in politics man, just play the gig..." /Sgt Floyd, Electric
Mayhem Band
_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive:http://list.sipfoundry.org/archive/sipx-users/
--
Staffan Kerker
mail/sip/xmpp: staf...@kerker.se <mailto:staf...@kerker.se>
"Don't get involved in politics man, just play the gig..." /Sgt Floyd,
Electric Mayhem Band
_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/