10-26-2011 02:23 PM - edited 03-21-2019 04:51 AM
I was wondering if it is possible to use Cisco XML Phone applications over https (SSL) on cisco spa 500 series phones. I have tried to run xml applications on servers that have certificates signed by an internet CA, and this does not work. I was wondering if i got a certificate signed by cisco as outlined in https://supportforums.cisco.com/docs/DOC-9852 if I could run
Cisco XML Phone applications over https (SSL).
10-28-2011 05:42 PM
The answer its no... makes it difficult to provide xml applications as part of a hosted pbx. Is ther any way we can request this feature in future versions of the firmware.
03-07-2012 01:59 AM
Can you not do this even with the Cisco certificate?
If not this renders the feature rather useless in anything other than a home/small office environment.
How can we request this feature be added?
03-21-2012 11:20 AM
I would also like to know if it's possible to use Cisco XML Phone applications over https and if not, it is possible to know whether they will include this functionality in future versions.
01-09-2014 10:08 AM
Hello,
For security reasons, I also tried to configure my XML directory on my SPA504G over HTTPS (port 443).
But it does not work, SPA says "request failed".
Over HTTP (port 80), it works fine.
Accessing the HTTPS URL from my computer works fine, so sounds like the problem is on SPA side.
I use last firmware (7.5.5).
Could we think about adding HTTPS support for XML applications to next firmware release ?
Thank you very much !
Best regards,
Gio
02-09-2014 02:15 AM
02-12-2014 11:07 AM
Dan, thank you for your suggestion.
I have a StartCom class 2 certificate (startssl.com).
How to know if this CA is trusted by the phone ?
Here is what syslog gives :
12/02/2014 19:10:57,000 Starting XML service @ https[-1]: //sub.myhiddendom.com/addr.php
12/02/2014 19:10:57,000 Unknown[-1]: ********setSoftKeys for 949fa0e0 to type 0 with 0 items
12/02/2014 19:10:57,000 cme services url=https[-1]: //sub.myhiddendom.com/addr.php
12/02/2014 19:10:57,000 Unknown[-1]: create CMX_new @ 949fa0e0, init cbData 0 g_pAppCmx=0
12/02/2014 19:10:57,000 Unknown[-1]: [CMXHTTP] Http failed, rc=0, len=10240
12/02/2014 19:10:57,000 Unknown[-1]: SipXml_eventHandler SIPXML_EV_CMXH_FAILED
12/02/2014 19:10:57,000 CMX_eventProc(),app=949fa0e0 msg[-1]: 0xFB4B, par:0, par2:0
12/02/2014 19:10:57,000 CMX_eventProc[-1]: got http_failed. 4 4 0x0
Nothing really relevant
Thanks for your support !
02-12-2014 12:06 PM
I told you need to catch syslog&debug messages. It seems you catched either local0 facility messages or you filtered messages with severity less that info. All at all, local3.debug messages are missing in your output. Unortunatelly, for the purpose of your question, I'm interested more in debug messages than info messages.
On the bottom I attached two complete logs. See the red line in the first one. This is the line we are interested to see. The err 20 mean X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error = either chain root's certificate or a intermediate certificate is not found in phone's local database of trusted certificates. As certificate chain can't be verified to be trusted, the connection needs to be rejected.
Check your output, found your's error number and we can continue to solve the problem.
-----------------------------------------------
Syslog&debug messages for unsuccesful access to XML address book using https protocol:
local0.info | ********setSoftKeys for 94e93710 to type 0 with 0 items
local0.info | cme services url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local0.info | create CMX_new @ 94e93710, init cbData 949b3fd0 g_pAppCmx=0
local3.debug | cmxhttp: url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local3.debug | [CMXHTTP] scheme = https
local3.debug | [CMXHTTP] scheme = 3
local0.info | [CMXHTTP] host=test-provisioning.---.cz:443; path=/Cisco/XML-Telefonni-seznam.php; locale=Accept-Language: en-US
local3.debug | [create_tcp_netstrm1] use async to create tcp connection
local3.debug | connect succeed
local3.debug | [create_tcp_netstrm1] connect SUCCEED
local3.debug | ssl cert err 20
local3.debug | create ssl connection failed
local3.debug | [CMXHTTP] refresh time=0s, URL=
local0.info | [CMXHTTP] Http failed, rc=0, len=10240
local0.info | SipXml_eventHandler SIPXML_EV_CMXH_FAILED
local0.info | CMX_eventProc(),app=94e93710 msg:0xFB4B, par:0, par2:0
local0.info | CMX_eventProc: got http_failed. 1 1 0x0
Syslog&debug messages for succesful access to XML address book using https protocol:
local0.info | ********setSoftKeys for 949c53a0 to type 0 with 0 items
local0.info | cme services url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local0.info | create CMX_new @ 949c53a0, init cbData 949b3fd0 g_pAppCmx=0
local3.debug | cmxhttp: url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local3.debug | [CMXHTTP] scheme = https
local3.debug | [CMXHTTP] scheme = 3
local0.info | [CMXHTTP] host=test-provisioning.---.cz:443; path=/Cisco/XML-Telefonni-seznam.php; locale=Accept-Language: en-US
local3.debug | [create_tcp_netstrm1] use async to create tcp connection
local3.debug | connect succeed
local3.debug | [create_tcp_netstrm1] connect SUCCEED
local3.debug | [CMXHTTP] refresh time=0s, URL=
local0.info | [CMXHTTP] Resp=200(318)(318)
kernel.emergency |
Phone book 2.1.2
Input name (part)
http://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
Name
name
A
local0.info |
local0.info | CMX_eventProc(),app=949c53a0 msg:0xFB4A, par:2493265136, par2:0
local3.debug | xml charset: -1
local3.debug | http charset: 1
local0.info | CMX Input
local3.debug | CMX_eventProc(), CMX_parse() done, pobj(0x94e94690) type = 2
local3.debug | CMX_eventProc(), title=Phone book 2.1.2, prompt(0x94e946b2)=Input name (part)
local3.debug | CMX_eventProc(), 0 softkeys, max pos 0, items(0x0)
local3.debug | CMX_eventProc(), refresh to in 0 sec
local3.debug | drawCmxObj(), o->ucType=2
local0.info | create CMX_new @ 949a5e40, init cbData 0 g_pAppCmx=949a5e40
02-12-2014 12:37 PM
You're right, I forgot debug.
So here is the full trace :
Feb 12 21:28:28 line 3 is extended function key for xml service.
Feb 12 21:28:28 cmxhttp: url=https://sub.myhiddendom.com/addr.php
Feb 12 21:28:28 [CMXHTTP] scheme = https
Feb 12 21:28:28 [CMXHTTP] scheme = 3
Feb 12 21:28:28 [create_tcp_netstrm1] use async to create tcp connection
Feb 12 21:28:28 connect succeed
Feb 12 21:28:28 [create_tcp_netstrm1] connect SUCCEED
Feb 12 21:28:28 ssl cert err 20
Feb 12 21:28:28 create ssl connection failed
Feb 12 21:28:28 [CMXHTTP] refresh time=0s, URL=
SSL error 20 seems to be the issue (as in your example).
02-12-2014 01:12 PM
OK, we are almost done. Either [1] chain root certificate is not recognized as trusted or a [2] intermediate certificate is not supplied by HTTP server during HTTPS session. Or both.
Acording 1 - check the root certificate related to certificate you are using is installed on phone:
Note that there is no CA certificate installed on the picture above as I'm using certificates issued by Cisco's CA which is trusted by default. In your case there needs to be appropriate CA certificate installed.
If such certificate is not installed then install it:
According [2], you need to verify that all certificates of certificate chain not including root certificate are suplied by HTTPS server during HTTPS session. If not, correct configuration of your HTTPS server acordingly.
Hope it help.
02-12-2014 01:46 PM
Dan, thank you very much !
Installing the CA cert did the trick !
I'm however quite surprised, my SPA504G takes much more time to display the result using HTTPS than HTTP (3 or 4 seconds instead of let's say 0).
Look at the timestamps in this example :
Feb 12 22:43:29 line 3 is extended function key for xml service.
Feb 12 22:43:29 cmxhttp: url=https://sub.myhiddendom.com/addr.php
Feb 12 22:43:29 [CMXHTTP] scheme = https
Feb 12 22:43:29 [CMXHTTP] scheme = 3
Feb 12 22:43:29 [create_tcp_netstrm1] use async to create tcp connection
Feb 12 22:43:30 connect succeed
Feb 12 22:43:30 [create_tcp_netstrm1] connect SUCCEED
Feb 12 22:43:33 [CMXHTTP] refresh time=0s, URL=
(...)
I also discovered that SPA does not support :
- wildcard certificates (*.domain.com) : not really a problem, just as a "reminder" here ;
- Server name Indication : more annoying, this would be good for those who have several certificates on the same IP.
02-12-2014 03:07 PM
You should "reply" to the message you are replying to, not to the original question.
I'm however quite surprised, my SPA504G takes much more time to display the result using HTTPS than HTTP (3 or 4 seconds instead of let's say 0).
Of course. It is cryptography and it's take computing power. And the phone hardware has no power for such kind of computing. Use short private key (like 512b) to shorten the connection setup time (but at the cost of lower security).
- wildcard certificates (*.domain.com) : not really a problem, just as a "reminder" here ;- Server name Indication : more annoying, this would be good for those who have several certificates on the same IP.
Wildcard certificates has been never standardized as far as I know. SNI is so new extension of SSL protocol. No implementation should depend on it. You need to use same solutions used in pre-SNI times, e.g. every HTTPS server needs it's own IP or port. It's not real issue here asi you can configure phones to use any port number you wish, you are not tied to default 443 port.
There are other problems related to SSL - SPA[35]xx accepts certificates even they are expired. SPA[12]xx ATA devices with firmware older than 1.3.2 doesn't check certificates at all, any certificate is considered valid.
Consider rating usefull responses - it will help others to found solutions.
02-12-2014 08:37 PM
I can confirm that xml apps now work correctly in the latest firmware (only took 2 years). I have tested using a cert issued by cisco as mention in the original post. Unfortuantle this adds 3-4 seconds to each request making this unacceptable for production use. I am currently using a cisco 504g. I will test with a 514g and see if makes a difference.
02-13-2014 03:01 AM
Which key size ? Did you tried short key like 512 or even 384 bits ?
SPA514G may be somewhat faster as it's newer hardware ...
02-13-2014 05:49 AM
Following the directions in https://supportforums.cisco.com/docs/DOC-9852 I am using 1023
"Generate a private key which you will use to generate the certificate signing request
webserver# openssl genrsa -out
I am not sure if cisco will accept a smaller key.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide