Hi,
I know that SoundPoint is basicalluy dead, but we have a lot of these out there and want to improve security. So far we are unable to get mutual TLS authentication to work with self-signed certificates. (We've gotten mutual TLS to work flawlessly with other major vendor IP phones). Polycom is the last hold-out.
We're trying to get the following setup to work:
Firmware 4.0.14.0987
Self-Signed Certificate with Self-Signed CA
Mutual TLS Authentication (Only accept signed certificates from polycom phones)
We first provision the polycom (IP-335/550/650/etc/etc) with HTTP and use <device> to set up for HTTPS
<device device.set="1" device.net.etherVlanFilter.set="1" device.net.etherVlanFilter="1" device.dhcp.bootSrvUseOpt.set="1" device.dhcp.bootSrvUseOpt="2" device.dhcp.bootSrvOpt.set="1" device.dhcp.bootSrvOpt="166" device.dhcp.bootSrvOptType.set="1" device.dhcp.bootSrvOptType="String" device.prov.serverType.set="1" device.prov.serverType="HTTPS" device.prov.serverName.set="1" device.prov.serverName="provisioning-server-here"><device.sec device.sec.TLS.customCaCert1.set="1" device.sec.TLS.customCaCert1="-----BEGIN CERTIFICATE----- certificate-goes-here -----END CERTIFICATE-----" /></device>
So far, this acomplishes turning off future usage of option 66 (and use option 166 if we want to re-program in the future). So now the polycom phone successfully will download the above xml via HTTP, and then it will TRY to connect to HTTPS but not succeed.
Flow:
The Polycom downloads the above XML via HTTP and does initial provisioning. The polycom then reboots itself and then continually tries https conneection, but handshake always fails.
Here's the log from the polycom:
000015.462|so |*|03|Network initialized. Starting network tasks. 000015.464|log |*|03|Install file upload callback for 'so' 0723102804|cfg |5|03|Prm|Parameter acd.reg requested type 0 but is of type 2 0723102804|sip |*|03|Fast Boot Measurement Point: Ready for Call, uptime: 15.616 sec. 0723102804|app1 |*|03|Ctx [0] Registered [false] 0723102804|app1 |5|03|Corporate directory instance does not exists. 0723102806|copy |4|03|SSL_connect error SSL connect error.error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 0723102808|copy |4|03|SSL_connect error SSL connect error.error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 0723102810|copy |4|03|SSL_connect error SSL connect error.error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Why would the phone not recognize the CA? When viewing the fingerprint of the CA in the polycom phone web portal, it matches the server.
We have VERIFIED that the polycom DOES trust the CA, because If we turn OFF requred client certificates at the HTTPS server (Apache 2.x) , the polycom SUCCESSFULLY downloads configuration from HTTPS (so obviously the phone can accept the self-signed certificate and connect to a self-signed server).
When we turn on debugging on apache, we clearly see the polycom is not sending the device certificate when connecting to the https server, and the phone is giving up the connection PRIOR to any attempt at sending the device certificate for client-cert-authentication.
Final Questions:
Does mutual TLS only work with officially signed certificates? Ie. verisign, starfield, etc?
Does mutual TLS work at all on a Polycom Sountpoint?