<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi<div class=""><br class=""></div><div class="">That sounds hopeful. Where I was vaguely going was being able to capture the certificate details at http provisioning, or first sip interaction. This should then give a secure way to validate that individual device.</div><div class=""><br class=""></div><div class="">From my experience with Yealink devices; The older devices all come with a common device certificate. Current generation also have an individual unique certificate. The cutoff appears to be those devices which were factory shipped with firmware version v72</div><div class=""><br class=""></div><div class=""><a href="https://tinyurl.com/ybtfxvnj" class="">https://tinyurl.com/ybtfxvnj</a></div><div class=""><br class=""></div><div class="">"Using Security Certificates on Yealink IP Phones” </div><div class="">It’s not completely clear but the Yealink security document says;</div><div class=""><br class=""></div><div class="">"If “Mutual TLS Authentication Required” is enabled on your server, the IP phone should send its certificate to the server as well”</div><div class=""><br class=""></div><div class="">However even though the doc mentions SIPs and HTTPS all examples talk about HTTPS and provisioning.</div><div class=""><br class=""></div><div class="">Mark<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 7 Jul 2020, at 07:28, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><p class="">Hello,</p><p class="">as said, from my experience if it is a preloaded certificate on
the device, then it is mainly used for the https management
interface.</p><p class="">However, searching the web about snom phones and ssl
certificates, it seems that their latest models use the
certificate even for sip:</p><p class=""> - <a href="https://service.snom.com/display/wiki/TLS+Support" class="">https://service.snom.com/display/wiki/TLS+Support</a></p><p class="">I haven't tested it, but I plan to do it when I get a chance. I
could not see anything in docs about uploading a new set of certs,
so I would be interested to learn what sip hard phones allow that.<br class="">
</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 03.07.20 14:12, Mark Boyce wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:664CD4AF-1E36-4897-812A-3DBFF27607D1@darkorigins.com" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Hi
<div class=""><br class="">
</div>
<div class="">Looking at the libssl docs it looks like the
require/verify setting triggers the client cert request to be
sent. When set to ‘verify none' no request is sent.</div>
<div class=""><br class="">
</div>
<div class="">Either way the Yealink seems to be ignoring the
request.<br class="">
<div class=""><br class="">
</div>
<div class="">As always, thanks for your assistance</div>
<div class=""><br class="">
</div>
<div class="">Mark</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 11:38, Daniel-Constantin
Mierla <<a href="mailto:miconda@gmail.com" class="" moz-do-not-send="true">miconda@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">Hello,<br class="">
</p>
<div class="moz-cite-prefix" style="caret-color: rgb(0, 0,
0); font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">On 03.07.20 11:12, Mark Boyce
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:223BC3C3-2BFD-4F5A-A3D9-86798B8EFB40@darkorigins.com" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; text-decoration: none;" class="">Hi Daniel
<div class=""><br class="">
</div>
<div class="">Ah, that’s the bit I misunderstood. I
thought that require_certificate would trigger mutual
auth / mTLS rather than enforcing its presence.</div>
</blockquote><p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">well, the server
indicates it wants to see client certificate during the
handshake, but it has no control in forcing the client
to do so. From Kamailio point of view, all this is done
by underlying libssl used by tls module. The result
after handshake, based on the error message, is that
client didn't present any certificate.</p><p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">Typically the clients
do not present their certificate by default, there has
to be some configuration for that. From my experience,
the hardphones have certificates only for
provisioning/management APIs.</p><p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">For SIP, there has an
option of uploading the client side certificate, because
it has to match somehow the SIP user and SIP service to
be able to do proper mutual TLS authentication.</p><p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;" class="">Cheers,<br class="">
Daniel<br class="">
</p>
<blockquote type="cite" cite="mid:223BC3C3-2BFD-4F5A-A3D9-86798B8EFB40@darkorigins.com" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; text-decoration: none;" class="">
<div class=""><br class="">
</div>
<div class="">No sign of a setting on the Yealink to
send it’s certificate. Will go unpack a Cisco and see
what that offers.</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Mark, </div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 09:09,
Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="" moz-do-not-send="true">miconda@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><p class="">Hello,</p><p class="">the client has to be configured to
present a certificate, and it doesn't do it
based on kamailio log message:</p><p class="">INFO: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not
present a certificate</p><p class="">Check the phone config to see if
you can set such option. Kamailio can just
see if a certificate is sent and if not
reject the connection, if you have
require_certificate = yes in the server
profile of tls.cfg</p><p class="">You can eventually test with
'openssl s_client ...' to see details of
client side certs in kamailio -- iirc, it
has the options to specify client side
certificate with -cert ... -key ...<br class="">
</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 03.07.20
09:52, Mark Boyce wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:D9767AFF-6B96-4E40-B288-089DCB94208A@darkorigins.com" class="">Hi Daniel
<div class=""><br class="">
</div>
<div class="">I’m testing with a
Yealink T57W. It comes with a factory
install certificate which will probably
fail validation as the common name is the
MAC. <br class="">
<div class=""><br class="">
</div>
<div class="">I'm not trying validate the
client device’s certificate just get it
to offer what it has so I can check the
details.</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Mark</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 08:38,
Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="" moz-do-not-send="true">miconda@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><p class="">Hello,</p><p class="">what is the SIP client
app you used? Is it configured
to use its own tls certificate
when connecting to the SIP
server?</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On
02.07.20 18:51, Mark Boyce
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:C53EF2BF-A770-4FA1-8B63-FB7B34CA40E7@darkorigins.com" class="">Hi all
<div class=""><br class="">
</div>
<div class="">Been trying to
grab the TLS cert details from
incoming connections, but
failing :-(</div>
<div class=""><br class="">
</div>
<div class="">So with lines just
before AUTH is called like
this;</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> <span class="Apple-converted-space"> </span>if
(proto == TLS) {</div>
<div class=""> <span class="Apple-converted-space"> </span>xlog("L_INFO",
"TLSDUMP $ci peer_subject
:
$tls_peer_subject\n");</div>
</div>
<div class=""><br class="">
</div>
<div class="">Gets met with a
log line line this;</div>
<div class=""><br class="">
</div>
<div class="">INFO: tls
[tls_server.c:431]:
tls_accept(): tls_accept: new
connection from 1.2.3.4:11797
using TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384
256</div>
<div class="">INFO: tls
[tls_server.c:434]:
tls_accept(): tls_accept:
local socket: 5.6.7.8:5061</div>
<div class="">INFO: tls
[tls_server.c:445]:
tls_accept(): tls_accept:
client did not present a
certificate</div>
<div class="">...</div>
<div class="">INFO: tls
[tls_select.c:168]:
get_cert(): Unable to retrieve
peer TLS certificate from SSL
structure</div>
<div class=""><br class="">
</div>
<div class="">This is with
verify_certificate and
require_certificate set to no
in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">If I try and set
the following in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">[server:default]</div>
<div class="">method =
TLSv1.2+</div>
<div class="">verify_certificate
= no</div>
<div class="">require_certificate
= yes</div>
<div class=""><br class="">
</div>
<div class="">I see in the
logs;</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">INFO: tls
[tls_domain.c:303]:
ksr_tls_fill_missing():
TLSs<default>:
tls_method=22</div>
<div class="">INFO: tls
[tls_domain.c:315]:
ksr_tls_fill_missing():
TLSs<default>:
certificate='/etc/kamailio/tls-certs/cert.pem'</div>
<div class="">INFO: tls
[tls_domain.c:322]:
ksr_tls_fill_missing():
TLSs<default>:
ca_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:329]:
ksr_tls_fill_missing():
TLSs<default>:
crl='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:333]:
ksr_tls_fill_missing():
TLSs<default>:<span class="Apple-converted-space"> </span><b class="">require_certificate=1</b></div>
<div class="">INFO: tls
[tls_domain.c:340]:
ksr_tls_fill_missing():
TLSs<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:347]:
ksr_tls_fill_missing():
TLSs<default>:
private_key='/etc/kamailio/tls-certs/privkey.pem'</div>
<div class="">INFO: tls
[tls_domain.c:351]:
ksr_tls_fill_missing():
TLSs<default>:<span class="Apple-converted-space"> </span><b class="">verify_certificate=0</b></div>
<div class="">INFO: tls
[tls_domain.c:354]:
ksr_tls_fill_missing():
TLSs<default>:
verify_depth=9</div>
<div class="">NOTICE: tls
[tls_domain.c:1095]:
ksr_tls_fix_domain():
registered server_name
callback handler for
socket [:0],
server_name='<default>'
...</div>
<div class="">INFO: tls
[tls_domain.c:692]:
set_verification():
TLSs<default>:<b class=""><span class="Apple-converted-space"> </span>Client
MUST present valid
certificate</b></div>
<div class="">INFO: tls
[tls_domain.c:303]:
ksr_tls_fill_missing():
TLSc<default>:
tls_method=20</div>
<div class="">INFO: tls
[tls_domain.c:315]:
ksr_tls_fill_missing():
TLSc<default>:
certificate='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:322]:
ksr_tls_fill_missing():
TLSc<default>:
ca_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:329]:
ksr_tls_fill_missing():
TLSc<default>:
crl='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:333]:
ksr_tls_fill_missing():
TLSc<default>:<span class="Apple-converted-space"> </span><b class="">require_certificate=1</b></div>
<div class="">INFO: tls
[tls_domain.c:340]:
ksr_tls_fill_missing():
TLSc<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:347]:
ksr_tls_fill_missing():
TLSc<default>:
private_key='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:351]:
ksr_tls_fill_missing():
TLSc<default>:<span class="Apple-converted-space"> </span><b class="">verify_certificate=1</b></div>
<div class="">INFO: tls
[tls_domain.c:354]:
ksr_tls_fill_missing():
TLSc<default>:
verify_depth=9</div>
<div class="">INFO: tls
[tls_domain.c:692]:
set_verification():
TLSc<default>:<span class="Apple-converted-space"> </span><b class="">Server MUST present
valid certificate</b></div>
<div class="">...</div>
<div class="">ERROR: tls
[tls_util.h:42]:
tls_err_ret(): TLS
accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed</div>
</div>
<div class=""><br class="">
</div>
<div class="">Which looks like
verification is being
enabled when I add require?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Would someone be
kind enough to point out
what I am missing please?
(Assuming it’s not a bug :-)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<pre class="moz-signature" cols="72" style="caret-color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/" moz-do-not-send="true">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla" moz-do-not-send="true">https://www.paypal.me/dcmierla</a></pre>
</div>
</blockquote>
</div>
<br class="">
<div class="">
Best regards<br class="">
Mark<br class="">
-- <br class="">
Mark Boyce<br class="">
Dark Origins Ltd<br class="">
e: <a href="mailto:mark@darkorigins.com" class="" moz-do-not-send="true">mark@darkorigins.com</a><br class=""><br class=""></div>
<br class="">
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</div>
</div></blockquote></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div style="orphans: 2; widows: 2;" class="">Mark</div><div style="orphans: 2; widows: 2;" class="">-- </div><div style="orphans: 2; widows: 2;" class="">Mark Boyce</div><div style="orphans: 2; widows: 2;" class="">Dark Origins Ltd</div><div style="orphans: 2; widows: 2;" class=""><br class=""></div></div></div></div></div></body></html>