Solved: Cisco SPA112 Firmware 1.4.1(SR3) can't establish TLS - Page 2

Tim Harman · ‎04-26-2019

Hi,

My Cisco SPA112 has been working great with my provider, until the new firmware released a few days ago, 1.4.1SR3. It was on SR1 previous.

The new SR3 has been created it seems to fix a problem where bad actors could submit a false/bad certificate for the TLS session.

But now I can't establish a SIP session to my provider using TLS anymore, I've had to downgrade back to UDP to get it to work.

My provider is 2talk, a well known New Zealand SIP provider. Here's a log of an SSL tester against their server tls.2talk.co.nz

Testing server defaults (Server Hello)

TLS extensions (standard) "renegotiation info/#65281" "session ticket/#35" "heartbeat/#15"
Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
SSL Session ID support yes
Session Resumption Tickets: yes, ID: yes
TLS clock skew Random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size RSA 2048 bits
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial / Fingerprints 70CBFCC2A2BA4D48D15226C757BD6CDE / SHA1 02624ACFBC81C2C21DA23D3FB5DA275E791FE61B
SHA256 FD1B1B042D4CBEC1F5B46C974ADECE7FA9E530AFB8E788B6B9AF77A60EC4E80E
Common Name (CN) tls.2talk.co.nz
subjectAltName (SAN) tls.2talk.co.nz
Issuer RapidSSL SHA256 CA (GeoTrust Inc. from US)
Trust (hostname) Ok via SAN and CN (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
"eTLS" (visibility info) not present
Certificate Validity (UTC) 145 >= 60 days (2016-07-21 12:00 --> 2019-09-20 11:59)
# of certificates provided 2
Certificate Revocation List http://gp.symcb.com/gp.crl
OCSP URI http://gp.symcd.com
OCSP stapling not offered
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency yes (certificate extension)

You can see both the certificate itself and the SNI are the same value.

However, in the logs of the Cisco SPA112 when I try to establish a TLS session, I get the following:

Apr 26 22:12:58 chatterbox [0]SIP/TCP NewLocalPort:5078
Apr 26 22:12:58 chatterbox [0]SIP/TCP NewLocalPort:5078
Apr 26 22:12:58 chatterbox [0: 0]SIP/TCP:Connecting(12)...
Apr 26 22:12:58 chatterbox [0: 0]SIP/TCP:Connecting(12)...
Apr 26 22:12:58 chatterbox [0: 0]SIP/TCP:Connect=0
Apr 26 22:12:58 chatterbox [0: 0]SIP/TCP:Connect=0
Apr 26 22:12:58 chatterbox [0: 0]SIP/TLS:Connecting(12)...
Apr 26 22:12:58 chatterbox [0: 0]SIP/TLS:Connecting(12)...
Apr 26 22:12:58 chatterbox ssl cert err 20
Apr 26 22:12:58 chatterbox [0: 0]SIP/TLS:Connect=-1
Apr 26 22:12:58 chatterbox [0: 0]SIP/TLS:Connect=-1
Apr 26 22:12:58 chatterbox [0: 0]SIP/TLS:Connect Failed
Apr 26 22:12:58 chatterbox [0: 0]SIP/TLS:Connect Failed
Apr 26 22:12:58 chatterbox RSE_DEBUG: getting alternate from domain:tls.2talk.co.nz
Apr 26 22:12:58 chatterbox RSE_DEBUG: All server is down:43
Apr 26 22:12:58 chatterbox RSE_DEBUG: Domain: tls.2talk.co.nz, type=SRVHOST
Apr 26 22:12:58 chatterbox RSE_DEBUG: Total Address:1, up addr:0, ref id:0, ref cnt:1
Apr 26 22:12:58 chatterbox RSE_DEBUG: Current addr:NULL
Apr 26 22:12:58 chatterbox RSE_DEBUG: curr timestamp::42757, pri:600, scnd:600
Apr 26 22:12:58 chatterbox RSE_DEBUG: pri:0, addr: 27.111.14.65:5061, status=DOWN, visited=TRUE, ttl=102757, pri=PRIM
Apr 26 22:12:58 chatterbox [0]SIP/TCP Backoff 1000 ms

Does anyone have any suggestions? I assume Cisco is using OpenSSL here, and from a bit of Googling (so maybe incorrect) an error 20 is:

verify error:num=20:unable to get local issuer certificate

But every other unix system I have connects to tls.2talk.co.nz:5061 just fine:

{16:28}~ ➭ openssl s_client -connect tls.2talk.co.nz:5061
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
verify return:1
depth=0 CN = tls.2talk.co.nz
verify return:1
---
Certificate chain
0 s:/CN=tls.2talk.co.nz
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---

What's going on? Is 1.4.1(SR3) buggy??

This was working fine in 1.4.1(SR1)

Jorge Canto · ‎05-13-2019

HI,

Update.

It seems is working now, just "tried" another CA and now everything looks good.

I wonder why it was randomly working.

Thanks for your help.

I will be updating here in a few days.

Dan Lukes · ‎05-13-2019

Name of server that resolves to more than one IP, each using different certificate ? Just guessing ...

Dan Lukes · ‎05-13-2019

SPA is set to logging MODE DEBUG and no information appears

Either phone sends no messages. It's unlikely. Or it's sending messages to other IP you are running syslog server on. Verify SPA configuration, especially address of syslog and debug server. Or it's sending messages to correct address, but syslog server considered not to record them. Use wireshark, tcpdump or so to verify messages are fired by phone. If not recorded, check configuration of syslog server.

they receive "unknown CA" error from my account.

It depens on contex I know nothing about. Generally, "unknown CA" error mean the connection is covered by SSL certificate issued by unknown CA. We need to know what CA is used for the connection in question. It shall be the one imported via Custom CA configuration option. Capture TLS/SIP session of both attempts - successful and failing REGISTER request. We can try to identify differences then.