Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
1
Replies

Phone Screenshot URL with HTTPS

gruber
Level 1
Level 1

‎02-21-2024 12:42 AM

Hi All,

I need help regarding the phone screen feature. Our product uses a built-in Cisco IP phone feature that provides the current phone screen as PNG or BMP image via HTTP access.

Phone Screen URL: http://<IP-ADDRESS>/CGI/Screenshot

Problem

This phone screen feature works fine with all types of IP phones by using HTTP protocol. However, if we switch the URL to HTTPS, this feature is unreliable. It works in some phone types but does not work with other types. As a result, we noticed an unpredictable and unreliable behaviour.

It has been also tested without our product, so we carried out tests directly with Chrome and Firefox browsers and the result was the same. It seems to be unreliable when HTTPS is used in the URL.

Assumption

Could it be an issue with the phone firmware? Perhaps some firmware versions do not support HTTPS properly?

 

Please look at the attached Word document (phone_screen_issue.docx) where I added pictures for both working and non-working cases.

Kind Regards,

Zoltan Balogh

 

Labels:
Preview file
1175 KB
0 Helpful
1 Reply 1

Rich R
VIP
VIP

‎02-21-2024 07:45 AM

Hi Zoltan

For https to work reliably you need to use a public trusted https certificate.   Otherwise every single device will need the correct private CA and intermediate certificates installed.

I see your URL is http://<ip address>/ - that's an immediate red flag for me because certificates should normally only be issued for a fully qualified DNS domain name (FQDN).  So the URL should be something like https://mydomain.company.com/ resolved via DNS and the certificate (issued by a trusted CA) should exactly match that domain.  That is the starting point for reliable working https.

The other factor is different TLS versions and ciphers/hashes.  Your client and server need to support common protocols and ciphers/hashes.  If client or server is horribly out of date (for example a very old client which doesn't support TLS) then they will not be able to negotiate the TLS connection.  So you need to make sure all clients and servers are capable of supporting the latest standards - in some cases that may require software or firmware updates.  It might not be possible on old products which are end of support.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents