Solved: But beware of zero-touch - Page 3

Philip D'Ath · ‎04-13-2015

We run a secure provisioning server. We mutually authenticate the TLS provisioning requests coming in from the phones (to make sure it is a Cisco phone and that the phone has a certificate in it installed by Cisco) before giving them their configuration file.

This process works across a wide variety of software versions, except the latest 7.5.7 and 7.5.7s releases.

On the server we use Apache/2.4.7. For phones running 7.5.7 and 7.5.7s we get this error in the Apache error log:

[client xx.xx.xx.xx:58598] AH02261: Re-negotiation handshake failed: Not accepted by client!?

Important bits of our Apache config relating to this are:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLInsecureRenegotiation on

SSLCACertificateFile /etc/apache2/ca.pem
* This definitely contains the Sipura CA certificates (can't remember, about 5 of them)

<Directory /var/www/https/Cisco>
Options MultiViews
AllowOverride None
Order allow,deny
allow from all
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>

How to we go about gettnig bugs investigated? Our phones are under small business support.

Philip D'Ath · ‎05-21-2015

What we do is specify the crypto order we would like to use in Apache using:

SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1

When a phone first connects in we upgrade it to a known software version, at which point it gets the rest of its config (which has been tested using that software version).

Dan Lukes · ‎05-21-2015

Unsuitable for PAP2T, SPA9xx, SPA[23][01]00, not sure about ATA800[08].

May not cause problem if you have no such kind devices.

Note the SSLProtocol option is bitmap, so

SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1

is the same as

SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

BSN · ‎10-18-2015

Good news !

I just tested 7.6.1 firmware released a few days ago, XML applications are back into business !

In addition, SHA-256 signed certificates are now supported.

Perfect !

Ben

BSN · ‎10-18-2015

And it is much more faster !

XML requests' speed do not seem to be affected by DH group size anymore !

I'm back with a 4096-bits DH without impact.

Dan Lukes · ‎10-18-2015

But beware of zero-touch deployment. Virgin devices are distributed with 7.5.2 firmware or even older. They may not connect to such server for initial configuration.

Dan Lukes · ‎10-18-2015

I tried it in the meantime. Maybe it's faster, but still so slow. The SSL setup take about 3s on SPA504G/1.04/7.6.1 - i consider it so much for positive user's experience ...

BSN · ‎10-18-2015

Around 1.6s on a SPA5252G2/2.1.1/7.6.1.

BSN · ‎06-20-2016

7.6.2 still OK.

Philip D'Ath · ‎06-20-2016

We tried 7.6.2 but rolled back to 7.6.1. We found 7.6.2 code to be unstable. After around a week or so we would start experiencing issues with phones locking up and needing to be power cycled.

Mutual TLS is broken in 7.5.7 and 7.5.7s on SPA504 and SPA514