10-26-2011 02:23 PM - edited 03-21-2019 04:51 AM
I was wondering if it is possible to use Cisco XML Phone applications over https (SSL) on cisco spa 500 series phones. I have tried to run xml applications on servers that have certificates signed by an internet CA, and this does not work. I was wondering if i got a certificate signed by cisco as outlined in https://supportforums.cisco.com/docs/DOC-9852 if I could run
Cisco XML Phone applications over https (SSL).
02-13-2014 06:19 AM
Mine is 4096 bits and it also takes 3/4 seconds, as you with your 1024 bits key.
So not sure 512/384 bits keys would make a difference / would make it usable in production mode.
02-13-2014 10:19 AM
Which hardware version ? If I remember correctly, it take few seconds, not few fraction of second, on SPA50x HW_VER 1.0.2 even with 1024 key and signature algorithm sha1WithRSAEncryption
May be it depends more on hardware revision than key size. Signature alghoritm may affect it as well. It seems that further investigation is required (as I don't wish the Cisco will document the feature properly).
According your other message, the SPA525G2 seems to be very different beast than SPA5xxG
About feature requests, how to make them ?
No idea. I don't know even how to report bugs. Of course, I'm NOT willing to pay for right to inform Cisco about the bug in it's product.
02-13-2014 10:07 AM
1024 is the only allowed size for "mini certificate" (used for voice encryption). There seems not to be 1024-only limit for HTTPS certificates as far as I know.
But the allowed keysize range is not documented by the Cisco. As well as acceptable hash alghoritms and other certificate-related options. In the fact, Cisco's documentation related is is very incomplete- almost non-existing. Even the list of CA considered trusted by default on particular device and firmware revision is not published.
On the one side, Cisco (better to say Linksys or Sipura) has created valuable security mechanism, on the other side, lack of documentation devalue it badly.
Well, we need to live with it. I will create few certificates based on keys with different keysize and using different hash alghoritms, I will test them and I will report the result. Not today, but sometime in the unspecified future ...
02-23-2014 06:31 AM
Ok, I did some tests. Conclusion ? The delay caused by SSL hanshaking is about 2.5s for keys in the range 384-2048bits on SPA5xx and about 1.5-2.0s on SPA ATA platform. For more details see bellow.
Test conditions:
CA: rsa:2048 bit / SHA1
Certificate: rsa:see_table_for_size / SHA1
Time interval measured as seconds on:
to next syslog/debug message. Note - just one attempt, no statistics method used.
Results:
Model (HW_VER, SW_VER) | rsa:384 | rsa:1024 | rsa:2048 | rsa:4096 | rsa:8192 | rsa:16384 |
---|---|---|---|---|---|---|
SPA504G|1.0.2|7.5.5 | 2.52s | 2.42s | 2.44s | 2.75s | 3.57s | 7.39s |
SPA504G|1.0.4|7.6.1 | ? | ? | 3.01s | ? | ? | ? |
SPA112|1.0.0|1.3.3 | 1.36s | 2.04s | 1.61s | 2.48s | 2.26s | ERR:20 |
SPA525G2|2.1.1|7.5.5 | 0.82s | 1.30s | 0.79s | 0.85s | 1.14s | 2.84s |
Notes:
Also tried rsa:2048/MD5 on SPA504G|1.0.2|7.5.5 it take 2.56s, on SPA112|1.0.0|1.3.3 it take 2.27s, on SPA525G2|2.1.1|7.5.5 it take 0.79s.
No other digests alghoritms are suported (tried md4, mdc2, ripemd160, sha, sha2).
Unsupported message digest cause ssl cert err 7 (X509_V_ERR_CERT_SIGNATURE_FAILURE)
16kB key is supported on SPA5xx but not on SPA ATA. It return ssl cert err 20 (X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) here.
Note that some old firmwares doesn't support DH key over 1024b. Such firmware will fail to setup SSL/TLS connection with server using the longer key at all. Apache 2.4 is known to use larger DH key if private key used is larger than 1024b. PAP2T even with newest firmware and SPA50x with pre 7.5.2b firmware is known to be affected by issue.
I would like to test an 1.0.4 HW_VER SPA50x as well as an SPA51x but I have no one yet.
02-23-2014 06:31 AM
Dan, interesting results !
Any chance to perform these tests (or at least with rsa:4096) on a SPA525G2 ?
Does anybody have experience with XML applications over HTTPS on a SPA525G2 ?
Thank you !
02-23-2014 01:58 PM
Yes, I have one SPA525G2. But be patient, I'm out of my test lab for at least next week.
02-24-2014 05:32 AM
OK Dan, thank you very much !
04-27-2014 02:07 AM
Hi Dan,
Were you able to perform this test ?
Thank you very much !
04-27-2014 04:31 AM
Which test ? Results of SPA525G2 tests has been added to the table above long time ago.
04-27-2014 04:38 AM
Ah yes you're right, thank you very much !
I did not get notified because you only updated your message without posting a new one
Results are really interesting, SPA525G2 is around 3 time faster.
We now have to validate if 0.8 second is something usable / production ready.
Thank you for your time Dan !
04-27-2014 08:02 AM
As you noted down, SPA51x could be interesting to test ; seems that the only difference is the 1Gbps ethernet connection, but perhaps they have a bigger CPU, which would lead into smaller SSL delay, perhaps even smaller than with the 525.
Any idea when you will have one of them available ?
Thank you !
04-27-2014 09:37 AM
I spent my personal money to SPA112 and SPA232D+SPA302D within few past months and the budget dedicated to toys is exhausted. I'm not going to buy it by self now.
Unless someone (you ?) decide to be donor, there is no SPA51x known to be on the way. Sorry.
04-27-2014 11:50 AM
OK, I just ordered a SPA514G
I will be able to compare it with a SPA504G.
05-07-2014 02:18 PM
So, here are the results, for a full HTTPS (RSA 4096 bits) request.
Goal is simply to see whether the SPA51x series is faster or not.
SPA 504G hardware 1.0.0 : 3.8 seconds
SPA 514G hardware 1.0.0 : 4.2 seconds
Incredible, but SPA514G is a bit slower !
05-08-2014 02:22 AM
This kind of measurement is not so precise. I consider they are same.
And it's not so surprising as well - I assume that 51xG has 1G capable internal switch chip instead of 100MHz-only chip in 50xG. But no change elsewhere in architecture so same CPU mean same computing power ...
I have "disassemble a 50xG" on my TODO list, so I will have more informations then.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide