11-21-2012 05:19 AM - edited 03-21-2019 09:55 AM
How do you set this thing up to use TLS? You can select TLS under sip transport but thats it. Where do I upload the certificates? I called Cisco Support and they couldnt figure it out either.
11-24-2012 08:40 AM
Hi Matt,
I have TLS/SRTP working OK to our network
What are you connecting your SPA to - a SIP service provider or to a SIP PBX - CME etc?
SIP Service provider support for TLS and SRTP is rare - so check to see whether they support this before wasting your time.
The SPA's when using TLS don't check certificates and as far as I am aware you can't upload one directly from the web interface (and since checking isn't performed it's unnecessary).
Older SPA's uses to use propriatory SRTP, however the newer ones including the SPA112 are set to use the standard s-descriptor
The proceduere for configuring sip over TLS/SRTP is the same as for the SPA phones.
For an example check out STEP 3 on
http://www.voip.co.uk/cisco-spa300500-telephones/
miss out points 5&6 as the SPA112 as mentioned already does s-descriptor
I hope this helps.
Adam
Line 1 Status
Hook State: Off
Registration State: Registered
Last Registration At: 11/24/2012 08:14:22
Next Registration In: 33 s
Message Waiting: No
Mapped SIP Port:
Call Back Active: No
Last Called Number: 01869222500
Last Caller Number:
Call 1 State: Connected
Call 1 Tone: None
Call 1 Encoder: G711a
Call 1 Decoder: G711a
Call 1 FAX: No
Call 1 Type: Outbound, Secure
Call 1 Remote Hold: No
Call 1 Callback: No
Call 1 Peer Name:
Call 1 Peer Phone: 01869222500
Call 1 Duration: 00:00:36
Call 1 Packets Sent: 1800
Call 1 Packets Recv: 1780
Call 1 Bytes Sent: 288000
Call 1 Bytes Recv: 284800
Call 1 Decode Latency: 110 ms
Call 1 Jitter: 4 ms Call 2 Jitter:
Call 1 Round Trip Delay: 0 ms
Call 1 Packets Lost: 0
Call 1 Packet Error: 0
11-24-2012 09:15 AM
Im trying to get it to connect to a local Asterisk 11 server. The Asterisk docs show using certificates on both ends
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial.
Thanks for the help!
11-24-2012 09:58 AM
OK.
I recommend getting the ATA working with SIP/UDP first. You then know all the SIP stuff is OK. Then make the few configuration changes to enable TLS and SRTP -
i.e.
Click on Voice in Admin mode
1. Click Line 1, SIP Settings, Sip Transport = TLS
2. Unless you have a fully configured set of DNS parameters, you probably want to change the SIP port to 5061
3. Supplementary services Service Subscription - I'd make sure Secure Call Serv: yes set to yes
4. Click User 1,
Supplementary service setting: Secure Call setting: YES
I know nothing about Asterisk with regards to TLS. I don't know whether this will expect you to upload a certificate from the SPA - I would suggest that you may want to look for a setting to disable certificate checking.
thanks
Adam
11-06-2021 02:13 PM - edited 11-06-2021 02:14 PM
Reviving an old topic.
I'm trying to connect an SPA112 running FW 1.4.1SR5 to my RASPBX (Asterisk 16.13.0 & FreePBX 15.0.16.75) and I'm not sure what are the settings that I need to apply for TLS.
So basically what I understand so far:
Voice > Line1
SIP settings: SIP transport = TLS, SIP port = 5061
Voice > User 1
Supplementary Service Settings: Secure Call Setting: YES
What about the certificate? My PBX uses a Let's Encrypt certificate and so far I didn't need to download the certs myself. My other extensions (Zoiper on Android) handled the certificate automatically. How do I handle the certs with SPA112?
Thanks
11-07-2021 01:07 PM
Neither application nor operating system should claim CA trusted on behalf of you. It's Zoiper (or Android) faulty behavior, not SPA112 issue. Only you shall have sovereignty to claim CA trusted.
Unless you intentionally did it on SPA112, LE certificates are rejected as untrusted.
11-07-2021 02:57 PM
It's my fault, my statement wasn't very clear. What I wanted to say is that Zoiper gives me the opportunity to accept/trust the certificate automatically and I don't need to download/import it myself. I don't know to do this with SPA112, there is no message coming up, informing me that I have to trust a certificate. Maybe I'm not configuring it correctly.
11-07-2021 03:24 PM - edited 11-07-2021 03:27 PM
Certificate of trusted root needs to be configured as "Custom CA". Only single CA can be configured trusted at the same time. Intermediate certificates, if necessary, needs to be sent by server during TLS setup.
See also Delay caused by SSL hanshaking
11-08-2021 12:43 AM
Ok, so in this case I need to set my Custom CA URL to https://letsencrypt.org/certificates/ namely ISRG Root X1? My PBX is configured to use certificates from Let's Encrypt in order to secure the communication.
11-08-2021 12:55 AM
Nope, apparently not
[2021-11-08 10:50:20] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> <SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca> len: 0 peer: xx.xx.xx.xxx:5078
Custom CA Status | |
Custom CA Provisioning Status: | Last provisioning failed on 11/08/2021 10:50:10 |
Custom CA Info: | Not Installed |
11-08-2021 01:12 AM
Are you trying to fetch certificate via HTTPS ? Really ?
Is the SSL session in question secured by certificate issued by trusted root CA ?
11-08-2021 01:27 AM
Is the SSL session in question secured by certificate issued by trusted root CA ?
No
11-08-2021 02:21 AM
Are you trying to fetch certificate via HTTPS ? Really ?
It's my extension trying to connect and the message is given by the PBX. The extension is configured as I already described before.
Again, my question was related to the settings that I need to make so that my SPA112 can connect securely.
Certificate of trusted root needs to be configured as "Custom CA".
According to Let's Encrypt: "Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1.
Any ideas?
11-08-2021 08:37 AM
Your extension is trying do download root certificate via HTTPS just because you commanded it to fetch from HTTPS. It's doing nothing by self. You can either use a HTTP source (not HTTPS) or you can use HTTPS, but it must use certificate issued by trusted authority. I assume you wish to use HTTP.
11-08-2021 08:57 AM - edited 11-08-2021 09:14 AM
I haven't commanded my extension to do anything. The only settings that I performed in addition to setting up the account/extension were the following:
SIP Transport: TLS
SIP Port: 5061
Secure Call Setting: Yes
But ...
Registration State: Failed
I'll try to open a case with CISCO about this
LE: set also Provisioning > Configuration profile > Transport Protocol: HTTP (instead of HTTPS). Doesn't help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide