Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
5
Replies

DNS SRV failover and TLS_Name_Validate

Go to solution
mwiater
Level 1
Level 1

‎11-07-2022 06:09 AM

I'm working on configuring SRV failover with TLS.

I have several proxies with proper DNS configurations, failover works fine when I configure the primary server to send a 503, but only if I disable TLS_Name_Validate.

Logs indicate that it's not liking the hostname in the alternate proxy when it goes to validate
(3010: 3157) voice-SIP-TCP.SIP_TCP_stream_connect [Ext:1] TLS:Connecting...
(3010: 3157) voice-SIP-TCP.SIP_TCP_stream_connect [Ext:1] TLS:Hostname validation:server1.mydomain.test
(3010: 3157) voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'

My DNS is right,

;; ANSWER SECTION:
_sips._tcp.server1.mydomain.test. 86400 IN SRV 10 10 5061 server1.mydomain.test.
_sips._tcp.server1.mydomain.test. 86400 IN SRV 20 10 5061 server2.mydomain.test.

My certificates names are the FQDN of the computer

For the phones configuration, 

<Use_DNS_SRV_1_ ua="na">Yes</Use_DNS_SRV_1_>
<DNS_SRV_Auto_prefix_1_ ua="na">Yes</DNS_SRV_Auto_prefix_1_>
<TLS_Name_Validate_1_ ua="na">No</TLS_Name_Validate_1_>
<Proxy_Redundancy_Method_1_ ua="na">Based on SRV Port</Proxy_Redundancy_Method_1_>
<Outbound_Proxy_1_ ua="na">server1.mydomain.test</Outbound_Proxy_1_>
<Auto_Register_When_Failover_1_ ua="na">Yes</Auto_Register_When_Failover_1_>

and I tried this also.
<Alternate_Outbound_Proxy_1_ ua="na">server2.mydomain.test</Alternate_Outbound_Proxy_1_>

I’d like the phones to validate my certificates, but how can I tell the phones of my alternate proxies? 


Or better, is there a setting to make the phone check the hostname that it’s actually registering to when SRV failover is active?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nithin Eluvathingal
VIP
VIP

‎11-07-2022 06:42 AM

 voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'

There. server certificate doesn't contain all hostnames. 



Response Signature


View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rajan
VIP Alumni
VIP Alumni

‎11-07-2022 06:18 AM

The certificates which the phones will get need to have those servers added as common names in order to trust.

HTH
Rajan
Please mark all useful posts as helpful and solutions as accepted wherever applicable

 

0 Helpful

Go to solution
mwiater
Level 1
Level 1
In response to Rajan

‎11-07-2022 06:39 AM

You don't mean that I have to provide the certificate to the phone, right?    In what configuration item would I enter the list of common names?

0 Helpful

Go to solution
Nithin Eluvathingal
VIP
VIP

‎11-07-2022 06:42 AM

 voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'

There. server certificate doesn't contain all hostnames. 



Response Signature


0 Helpful

Go to solution
mwiater
Level 1
Level 1
In response to Nithin Eluvathingal

‎11-08-2022 01:33 PM

Thank you Nithin.  It looks like we need SANs in our certs.

0 Helpful

Go to solution
mwiater
Level 1
Level 1

‎11-07-2022 08:31 AM

I'm having a hard time understanding why the phone would not be able to validate the certificate against the second priority proxy. The phone knows it's talking with server2, the certificate says it's server2, that should match.  

0 Helpful
Customers Also Viewed These Support Documents