Cisco SPA525G - Firmware 7.6.2SR5 - Error CC_EV_SIG_REGISTER_FAILED

Alex A. Welzl · ‎03-05-2019

After upgrading some SPA525G from 7.6.2SR4 to 7.6.2SR5 none of the phone can sucessfully execute a TLS based registration.

Error in SYSLOG: Syslog message: LOCAL0.INFO: CC_eventProc(event=63(CC_EV_SIG_REGISTER_FAILED), lid=0, par=0, par2=(nil))

After downgrading to SR4 the phones work w/o any issues.

Dan Lukes · ‎03-27-2019

RN of SR5 lists the only change - CSCvi84687 which is TLS unrelated. But Cisco is known not to disclose all changes. New release may have different set of crypto/hmac alghoritms supported or may have different set of CA accepted.

Turn on debug syslog messages (it seems you have logging limited to INFO level) and capture packets of failing SIP session. It may help you/us to identify cause.

Alex A. Welzl · ‎04-17-2019

I did some wiresharking and here's the result:

7559 120.784227695 172.16.11.37 172.16.11.99 Syslog 70 LOCAL0.INFO: [0:0]SIP/TCP:Connect=0\n
7561 120.784298715 172.16.11.37 172.16.11.99 Syslog 70 LOCAL0.INFO: [0:0]SIP/TCP:Connect=0\n
7562 120.785517180 172.16.11.37 172.16.11.99 Syslog 78 LOCAL0.INFO: [0:0]SIP/TLS:Connecting(17)...\n
7563 120.785527338 172.16.11.37 172.16.11.99 Syslog 78 LOCAL0.INFO: [0:0]SIP/TLS:Connecting(17)...\n
7564 120.866512328 172.16.11.37 172.16.11.99 Syslog 63 LOCAL3.DEBUG: ssl cert err 19\n
7565 120.869287508 172.16.11.37 172.16.11.99 Syslog 71 LOCAL0.INFO: [0:0]SIP/TLS:Connect=-1\n
7566 120.869314887 172.16.11.37 172.16.11.99 Syslog 71 LOCAL0.INFO: [0:0]SIP/TLS:Connect=-1\n
7567 120.871164233 172.16.11.37 172.16.11.99 Syslog 75 LOCAL0.INFO: [0:0]SIP/TLS:Connect Failed\n
7568 120.871191213 172.16.11.37 172.16.11.99 Syslog 75 LOCAL0.INFO: [0:0]SIP/TLS:Connect Failed\n

According to this link https://community.cisco.com/t5/small-business-support-documents/ssl-errors-secure-provisioning-issues/ta-p/3295835 err 19 is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN self signed certificate not recognized as trusted

When I do a openssl s_client -connect voip.XXXXXXXXXX.com:5061 I receive a proper chain.

CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = XX, L = XXXXXXX, O = XXXXXXX, CN = voip.XXXXXXXXX.com
verify return:1
---
Certificate chain
0 s:/C=XX/L=XXXXXX/O=XXXXXX/CN=voip.XXXXXXXXXX.com
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

[..]

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384

As mentioned it works w/o any issues on SR4, but not on SR5. Other models (SPA504/514G) have no issues with SR5 either.

Dan Lukes · ‎04-17-2019

@Alex A. Welzl wrote:
7564 120.866512328 172.16.11.37 172.16.11.99 Syslog 63 LOCAL3.DEBUG: ssl cert err 19

err 19 is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN self signed certificate not recognized as trusted
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2

Why you think the Entrust Root Certification Authority - G2 should be accepted as trusted authority ?

Documentation mentions no such CA on embedded list of trusted CA.

OK. Did you configured such CA as Custom CA ?

If yes, did you verified it's still configured even after firmware upgrade ?

If no - it works as expected, the CA should not be trusted,

Alex A. Welzl · ‎04-18-2019

THX for the hint. We have not discovered any issues till now. I have added the Custom_CA to the setting and now it works.

Dan Lukes · ‎04-18-2019

If such certificate has been accepted with no Custom CA defined, then you discovered severe security bug. in SR4. It seems it has been patched in SR5.

It's unfortunate Cisco decided not to mention it in Release Notes. Cisco seems not to take security seriously ...

Alex A. Welzl · ‎04-19-2019

It's a bit weird. The SR5 for the SPA525G/G2 is the ONLY version which needs the custom_CA to be set for SIP/TLS connections. We are running over 1000 SPA3xx/5xx phones and have not seen that issue before. So if it's really a security issue, then it is not fixed on the other models yet.

Dan Lukes · ‎04-19-2019

Certificates are here to verify the phone is speaking to correct server (e.g. there's neither man-in-the-midle kind of attack or other unauthorized server trying to cheat phone with a rogue configuration). The list of trusted CA is critical part of it - if client (phone) trusts certificate regardless issuer, then it will accept unauthorized server (with certificate issued by any CA, even the rogue user own one).

Phone shall reject a server with certificate issued by unknown CA.

I didn't verified 7.6.x firmwares, but in 7.5.x it works as expected (with one exception - SPA5xx ignores certificate validity, e.g. "not before" and "not after" dates).