Solved: SPA525G2 fails https provisioning with custom CA

baluson · ‎02-04-2024

Hi everyone!

In short: my problem is, that the Certificate loaded by the Custom CA rule is not working for provisioning over https connections.

I'm using SPA525G2 phones, and I want to deploy them in a remote location, where no server or VPN tunnel is available to the provisioning network. So I want to use https for provisioning. The plan is the following:
preprovisioning:
1. The phone is on the "main" network, where dhcp option tells a profile rule with http protocol.
2. XML is downloaded. It contains a different profile rule this time with https and custom CA URL for the server certificate it uses http.
3. Phone reboots.

In theory at this time the phone should use https for provisioning and I could move it outside the main network it could still access the provisioning URL over secure https.
Provisioning:
1. The phone is outside of the "main" network it already knows an https rule to contact the provisioning server
2. XML is downloaded. It can set the custom CA rule to an https version, since it already trusts that certificate. This way it can be fully secured on the remote network, no dns spoofing can lead to hijacking

But in reality the provisioning fails. The phone cannot download the provisioning file because it states that the CA is unknown. The very CA I just defined in the custom CA rule.
I tried using my let's encrypt certificate and also a self signed one, but none of them worked.

I have read many provisioning guides and tutorials and forums, but I don't know why this does not work. Did anyone successfully managed https provisioning with own certificate?

baluson · ‎04-02-2024

After many many days of researching this topic I found the real problem, and the solution too.

So the original issue was, that the SPA525G2 reports "unknown CA" in the wireshark. And suprisingly this message was accurate, as the Server Hello included a wrong certificate. I'm using IIS as the web server and I use Require Server Name Identification for all my sites. But the phones don't support SNI as stated in this bugreport: CSCve12309
The workaround was, that I turned off this feature for this single site only.

New issue: the certificate is correct, but this time the phone just states that download failed. In the wireshark I can see that it sends Encrypted Alert and terminates the communication. I turned to the debugging feature of the phone. (set the ip of my computer and captured traffic with wireshark, so no need for a syslog server). The message said, that Cannot verify host name: XXX.YYY.ZZ But the certificate is correct and in the browser it just works fine. I somehow got suspicious and moved everything to a folder of the root domain like this: YYY.ZZ/XXX And suddenly it worked. THe conclusion is: phones don't support wildcard certificates. (it worked on the root domain because my cert contains two entries: XXX.ZZ and *.XXX.ZZ)

The real cause that this problem arose in the first place is:
Bad implementation of TLS and Hiding bug reports on that bugsearch site, where I can not even search by product name.
Bad implementation of HTTPS and Improper documentation regarding the wildcard certificates.

View solution in original post

baluson · ‎04-02-2024

After many many days of researching this topic I found the real problem, and the solution too.

So the original issue was, that the SPA525G2 reports "unknown CA" in the wireshark. And suprisingly this message was accurate, as the Server Hello included a wrong certificate. I'm using IIS as the web server and I use Require Server Name Identification for all my sites. But the phones don't support SNI as stated in this bugreport: CSCve12309
The workaround was, that I turned off this feature for this single site only.

New issue: the certificate is correct, but this time the phone just states that download failed. In the wireshark I can see that it sends Encrypted Alert and terminates the communication. I turned to the debugging feature of the phone. (set the ip of my computer and captured traffic with wireshark, so no need for a syslog server). The message said, that Cannot verify host name: XXX.YYY.ZZ But the certificate is correct and in the browser it just works fine. I somehow got suspicious and moved everything to a folder of the root domain like this: YYY.ZZ/XXX And suddenly it worked. THe conclusion is: phones don't support wildcard certificates. (it worked on the root domain because my cert contains two entries: XXX.ZZ and *.XXX.ZZ)

The real cause that this problem arose in the first place is:
Bad implementation of TLS and Hiding bug reports on that bugsearch site, where I can not even search by product name.
Bad implementation of HTTPS and Improper documentation regarding the wildcard certificates.