Solved: TLS verify mode

bluesea2010 · ‎01-14-2018

Hi,

What are the pros and cons if we disabled tls verify mode off ?

Thanks

Wayne DeNardi · ‎01-14-2018

It depends on which "TLS Verify" you are referring to - but in general, having this turned on is more secure than leaving it turned off, but you must have the infrastructure to support it.

There are multiple "TLS Verify" settings which you can find mentioned in the Admin Guide:

Network [1] IEEE8021X TlsVerify

Verification of the server-side certificate of an IEEE802.1x connection against the certificates in the local CA-list when TLS is used. The CA-list must be uploaded to the video system. This can be done from the web interface.

This setting takes effect only when Network [1] IEEE8021X Eap Tls is enabled (On).

Requires user role: ADMIN, USER

Default value: Off

Value space: Off/On

Off: When set to Off, TLS connections are allowed without verifying the server-side X.509 certificate against the local CA-list. This should typically be selected if no CA-list has been uploaded to the codec.

On: When set to On, the server-side X.509 certificate will be validated against the local CA-list for all TLS connections. Only servers with a valid certificate will be allowed.

SIP TlsVerify

For TLS connections a SIP CA-list can be uploaded to the video system. This can be done from the web interface.

Requires user role: ADMIN

Default value: Off

Value space: Off/On

Off: Set to Off to allow TLS connections without verifying them. The TLS connections are allowed to be set up without verifying the x.509 certificate received from the server against the local CA-list. This should typically be selected if no SIP CA-list has been uploaded.

On: Set to On to verify TLS connections. Only TLS connections to servers, whose x.509 certificate is validated against the CA-list, will be allowed.

There is also Certificate Verification for HTTP and LDAP Server and Client site Certificates.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

View solution in original post

Wayne DeNardi · ‎01-14-2018

It depends on which "TLS Verify" you are referring to - but in general, having this turned on is more secure than leaving it turned off, but you must have the infrastructure to support it.

There are multiple "TLS Verify" settings which you can find mentioned in the Admin Guide:

Network [1] IEEE8021X TlsVerify

Verification of the server-side certificate of an IEEE802.1x connection against the certificates in the local CA-list when TLS is used. The CA-list must be uploaded to the video system. This can be done from the web interface.

This setting takes effect only when Network [1] IEEE8021X Eap Tls is enabled (On).

Requires user role: ADMIN, USER

Default value: Off

Value space: Off/On

Off: When set to Off, TLS connections are allowed without verifying the server-side X.509 certificate against the local CA-list. This should typically be selected if no CA-list has been uploaded to the codec.

On: When set to On, the server-side X.509 certificate will be validated against the local CA-list for all TLS connections. Only servers with a valid certificate will be allowed.

SIP TlsVerify

For TLS connections a SIP CA-list can be uploaded to the video system. This can be done from the web interface.

Requires user role: ADMIN

Default value: Off

Value space: Off/On

Off: Set to Off to allow TLS connections without verifying them. The TLS connections are allowed to be set up without verifying the x.509 certificate received from the server against the local CA-list. This should typically be selected if no SIP CA-list has been uploaded.

On: Set to On to verify TLS connections. Only TLS connections to servers, whose x.509 certificate is validated against the CA-list, will be allowed.

There is also Certificate Verification for HTTP and LDAP Server and Client site Certificates.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.