04-13-2015 11:46 PM - edited 03-21-2019 08:36 AM
We run a secure provisioning server. We mutually authenticate the TLS provisioning requests coming in from the phones (to make sure it is a Cisco phone and that the phone has a certificate in it installed by Cisco) before giving them their configuration file.
This process works across a wide variety of software versions, except the latest 7.5.7 and 7.5.7s releases.
On the server we use Apache/2.4.7. For phones running 7.5.7 and 7.5.7s we get this error in the Apache error log:
[client xx.xx.xx.xx:58598] AH02261: Re-negotiation handshake failed: Not accepted by client!?
Important bits of our Apache config relating to this are:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLInsecureRenegotiation on
SSLCACertificateFile /etc/apache2/ca.pem
* This definitely contains the Sipura CA certificates (can't remember, about 5 of them)
<Directory /var/www/https/Cisco>
Options MultiViews
AllowOverride None
Order allow,deny
allow from all
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
How to we go about gettnig bugs investigated? Our phones are under small business support.
Solved! Go to Solution.
05-21-2015 03:02 PM
What we do is specify the crypto order we would like to use in Apache using:
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
When a phone first connects in we upgrade it to a known software version, at which point it gets the rest of its config (which has been tested using that software version).
05-21-2015 03:23 PM
Unsuitable for PAP2T, SPA9xx, SPA[23][01]00, not sure about ATA800[08].
May not cause problem if you have no such kind devices.
Note the SSLProtocol option is bitmap, so
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
is the same as
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
10-18-2015 03:13 AM
Good news !
I just tested 7.6.1 firmware released a few days ago, XML applications are back into business !
In addition, SHA-256 signed certificates are now supported.
Perfect !
Ben
10-18-2015 03:21 AM
And it is much more faster !
XML requests' speed do not seem to be affected by DH group size anymore !
I'm back with a 4096-bits DH without impact.
10-18-2015 08:15 AM
But beware of zero-touch deployment. Virgin devices are distributed with 7.5.2 firmware or even older. They may not connect to such server for initial configuration.
10-18-2015 09:17 AM
I tried it in the meantime. Maybe it's faster, but still so slow. The SSL setup take about 3s on SPA504G/1.04/7.6.1 - i consider it so much for positive user's experience ...
10-18-2015 09:21 AM
Around 1.6s on a SPA5252G2/2.1.1/7.6.1.
06-20-2016 12:34 PM
7.6.2 still OK.
06-20-2016 12:38 PM
We tried 7.6.2 but rolled back to 7.6.1. We found 7.6.2 code to be unstable. After around a week or so we would start experiencing issues with phones locking up and needing to be power cycled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide