on 09-23-2017 08:20 AM - edited on 11-19-2019 09:06 AM by Geovani
When phones are being provisioned they will traditionally use TFTP or HTTP. While working it would be better to add a layer of security by enabling HTTP_over_TLS (known as HTTPS) and combined with Authentication by either UID/PWD or an encrypted configuration file.
By enabling HTTPS between he provisioning server the client can verify the identity of this server, this can be done with a self signed certificate or a certificate signed by a well-known Root CA. If the server is signed with a self-signed certificate this will throw an SSL error on the phone (as it can't verify the identity of the certificate). To work around this the MPP phones support a custom CA rule allowing the customer to install a Certificate(Chain) on the phone to be used to verify the identity of the server.
HTTPS is useful for client/server communication where the client is "anonymous" like a browser visiting cisco.com. From a security point of view it would make sense to verify also the identity of the client (phone) when accessing phone services. Don't mistake this Authentication (verify identity) for Authorisation (access to a resource)!. To create this authentication both ways we configure MTLS (Mutual Transport Layer Security) on the provisioning server where during the HTTPS handshake both parties verify each identity.
0.1 Initial document to setup TLS and MTLS on systems running Apache or Nginx.
An easy way to create a self signed certificate is to use openssl with the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout my_self_signed_key.key -out my_self_signed_cert.crt
req: tells openssl to create a CSR (certificate Signing Request) for a public key (of the server) following the PKCS#10 standard which creates a X.509 certificate.
x509: tells openssl to create a self signing request rather then a CSR (certificate Signing Request)
nodes: output is not encrypted
days: is the amount of days the created certificate is valid
newkey: creates an RSA key with a length specified after the colon (4096 bits in the example)
keyout: filename of the key created (can include path to key)
out: filename of the signed certificate created
Remark: when you create a self signed certificate in a lab setup (and don't use a DNS/BIND server) use the IP address of the public interface of that server, otherwise the certificate validation will fail as the FQDN of the server can't be matched against the IP address.
Login to EDOS (Cisco redirect service) and download the combined certificate chain
The basic steps to enable TLS (HTTPS) and in bold italic the additional config for MTLS.
# un-comment the following lines and change them to the directory containing the files for the phones:
DocumentRoot "/var/www/html"
# ServerName my_server_ip_address
ServerName 192.168.1.1:443
# change the following lines to point to your certificates
# location to the server certificate
SSLCertificateFile /etc/ssl/certs/my_self_signed_cert.crt
# location to the server key
SSLCertificateKeyFile /etc/ssl/private/my_self_signed_key.key
# location of the certificate chain used for verifying the client identity
SSLCACertificateFile /etc/ssl/certs/combinedcaBE.crt
# turn on the verification of the client certificate
SSLVerifyClient require
# set the depth to which the certificate chain is used to verify the clients
SSLVerifyDepth 3
# the rest of the configuration can be kept default.
The basic steps to enable TLS (HTTPS) and in bold italic the additional config for MTLS.
server {
# tells the server to listen to port 443 for https
listen 443 http2 ssl;
# server_name 192.168.1.1
server_name my_server_ip_address;
# location to the server certificate
ssl_certificate /etc/ssl/certs/my_self_signed_cert.crt;
# location to the server key
ssl_certificate_key /etc/ssl/private/my_self_signed_key.key;
# location of the certificate chain used for verifying the client identity.
ssl_client_certificate /etc/ssl/certs/combinedcaBE.crt;
# turn on the verification of the client certificate
ssl_verify_client on;
# set the depth to which the certificate chain is used to verify the clients
ssl_verify_depth 3;
# protocols accepted
ssl_protocols TLSv1.2 TLSv1.1;
# prefer server ciphers above client cipher proposals
ssl_prefer_server_ciphers on;
# the list of enabled ciphers depending on the version of openssl installed on the server.
# use openssl ciphers to get
# a full list of supported ciphers
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# time the client can use the session parameters
ssl_session_timeout 5m;
location / {
root /path_to_your_files/;
}
Add add later stage
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: