cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

7806
Views
20
Helpful
36
Replies
Adam Goodfriend
Beginner

Cisco XML Phone applicatiosn over https (SSL)

I was wondering if it is possible to use Cisco XML Phone applications over https (SSL) on cisco spa 500 series phones. I have tried to run xml applications on servers that have certificates signed by an internet CA, and this does not work. I was wondering if i got a certificate signed by cisco as outlined in https://supportforums.cisco.com/docs/DOC-9852 if I could run

Cisco XML Phone applications over https (SSL).

36 REPLIES 36
Adam Goodfriend
Beginner

The answer its no... makes it difficult to provide xml applications as part of a hosted pbx. Is ther any way we can request this feature in future versions of the firmware.

Can you not do this even with the Cisco certificate?

If not this renders the feature rather useless in anything other than a home/small office environment.

How can we request this feature be added?

I would also like to know if it's possible to use Cisco XML Phone applications over https and if not, it is possible to know whether they will include this functionality in future versions.

BSN
Beginner
Beginner

Hello,

For security reasons, I also tried to configure my XML directory on my SPA504G over HTTPS (port 443).

But it does not work, SPA says "request failed".

Over HTTP (port 80), it works fine.

Accessing the HTTPS URL from my computer works fine, so sounds like the problem is on SPA side.

I use last firmware (7.5.5).

Could we think about adding HTTPS support for XML applications to next firmware release ?

Thank you very much !

Best regards,

Gio

Dan Lukes
Advocate

Such feature seems to be implemented in 7.5.5 (I tried no older versions).

Of course, you need to have certificate trusted by the phone (I assume it's the 's problem mentioned elsewhere in this thread, but only catched syslog&debug will reveal the true reason).

BSN
Beginner
Beginner

Dan, thank you for your suggestion.

I have a StartCom class 2 certificate (startssl.com).

How to know if this CA is trusted by the phone ?

Here is what syslog gives :

12/02/2014 19:10:57,000 Starting XML service @ https[-1]: //sub.myhiddendom.com/addr.php

12/02/2014 19:10:57,000 Unknown[-1]: ********setSoftKeys for 949fa0e0 to type 0 with 0 items

12/02/2014 19:10:57,000 cme services url=https[-1]: //sub.myhiddendom.com/addr.php

12/02/2014 19:10:57,000 Unknown[-1]: create CMX_new @ 949fa0e0, init cbData 0 g_pAppCmx=0

12/02/2014 19:10:57,000 Unknown[-1]: [CMXHTTP] Http failed, rc=0, len=10240

12/02/2014 19:10:57,000 Unknown[-1]: SipXml_eventHandler SIPXML_EV_CMXH_FAILED

12/02/2014 19:10:57,000 CMX_eventProc(),app=949fa0e0 msg[-1]: 0xFB4B, par:0, par2:0

12/02/2014 19:10:57,000 CMX_eventProc[-1]: got http_failed. 4 4 0x0

Nothing really relevant

Thanks for your support !

I told you need to catch syslog&debug messages. It seems you catched either local0 facility messages or you filtered messages with severity less that info. All at all, local3.debug messages are missing in your output. Unortunatelly, for the purpose of your question, I'm interested more in debug messages than info messages.

On the bottom I attached two complete logs. See the red line in the first one. This is the line we are interested to see. The err 20 mean X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error = either chain root's certificate or a intermediate certificate is not found in phone's local database of trusted certificates. As certificate chain can't be verified to be trusted, the connection needs to be rejected.

Check your output, found your's error number and we can continue to solve the problem.

-----------------------------------------------

Syslog&debug messages for unsuccesful access to XML address book using https protocol:

local0.info  | ********setSoftKeys for 94e93710 to type 0 with 0 items
local0.info  | cme services url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local0.info  | create CMX_new @ 94e93710, init cbData 949b3fd0 g_pAppCmx=0
local3.debug | cmxhttp: url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local3.debug | [CMXHTTP] scheme = https
local3.debug | [CMXHTTP] scheme = 3
local0.info  | [CMXHTTP] host=test-provisioning.---.cz:443; path=/Cisco/XML-Telefonni-seznam.php; locale=Accept-Language: en-US
local3.debug | [create_tcp_netstrm1] use async to create tcp connection
local3.debug | connect succeed  
local3.debug | [create_tcp_netstrm1] connect SUCCEED
local3.debug | ssl cert err 20  
local3.debug | create ssl connection failed
local3.debug | [CMXHTTP] refresh time=0s, URL=
local0.info  | [CMXHTTP] Http failed, rc=0, len=10240
local0.info  | SipXml_eventHandler SIPXML_EV_CMXH_FAILED
local0.info  | CMX_eventProc(),app=94e93710 msg:0xFB4B, par:0, par2:0
local0.info  | CMX_eventProc: got http_failed. 1 1 0x0

Syslog&debug messages for succesful access to XML address book using https protocol:

local0.info  | ********setSoftKeys for 949c53a0 to type 0 with 0 items
local0.info  | cme services url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local0.info  | create CMX_new @ 949c53a0, init cbData 949b3fd0 g_pAppCmx=0
local3.debug | cmxhttp: url=https://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
local3.debug | [CMXHTTP] scheme = https
local3.debug | [CMXHTTP] scheme = 3
local0.info  | [CMXHTTP] host=test-provisioning.---.cz:443; path=/Cisco/XML-Telefonni-seznam.php; locale=Accept-Language: en-US
local3.debug | [create_tcp_netstrm1] use async to create tcp connection
local3.debug | connect succeed
local3.debug | [create_tcp_netstrm1] connect SUCCEED
local3.debug | [CMXHTTP] refresh time=0s, URL=
local0.info  | [CMXHTTP] Resp=200(318)(318)  
kernel.emergency |
    Phone book  2.1.2 
    Input name (part)
    http://test-provisioning.---.cz/Cisco/XML-Telefonni-seznam.php
   
      Name
      name
    A
   
 
local0.info  |
local0.info  | CMX_eventProc(),app=949c53a0 msg:0xFB4A, par:2493265136, par2:0
local3.debug | xml charset: -1
local3.debug | http charset: 1
local0.info  | CMX Input
local3.debug | CMX_eventProc(), CMX_parse() done, pobj(0x94e94690) type = 2
local3.debug | CMX_eventProc(),                   title=Phone book  2.1.2, prompt(0x94e946b2)=Input name (part)
local3.debug | CMX_eventProc(),                   0 softkeys, max pos 0, items(0x0)
local3.debug | CMX_eventProc(),                   refresh to  in 0 sec
local3.debug | drawCmxObj(), o->ucType=2
local0.info  | create CMX_new @ 949a5e40, init cbData 0 g_pAppCmx=949a5e40

BSN
Beginner
Beginner

You're right, I forgot debug.

So here is the full trace :

Feb 12 21:28:28 line 3 is extended function key for xml service.

Feb 12 21:28:28 cmxhttp: url=https://sub.myhiddendom.com/addr.php

Feb 12 21:28:28 [CMXHTTP] scheme = https

Feb 12 21:28:28 [CMXHTTP] scheme = 3

Feb 12 21:28:28 [create_tcp_netstrm1] use async to create tcp connection

Feb 12 21:28:28 connect succeed

Feb 12 21:28:28 [create_tcp_netstrm1] connect SUCCEED

Feb 12 21:28:28 ssl cert err 20

Feb 12 21:28:28 create ssl connection failed

Feb 12 21:28:28 [CMXHTTP] refresh time=0s, URL=

SSL error 20 seems to be the issue (as in your example).

OK, we are almost done. Either [1] chain root certificate is not recognized as trusted or a [2] intermediate certificate is not supplied by HTTP server during HTTPS session. Or both.

Acording 1 - check the root certificate related to certificate you are using is installed on phone:

1.JPG

Note that there is no CA certificate installed on the picture above as I'm using certificates issued by Cisco's CA which is trusted by default. In your case there needs to be appropriate CA certificate installed.

If such certificate is not installed then install it:

2.JPG

According [2], you need to verify that all certificates of certificate chain not including root certificate are suplied by HTTPS server during HTTPS session. If not, correct configuration of your HTTPS server acordingly.

Hope it help.

BSN
Beginner
Beginner

Dan, thank you very much !

Installing the CA cert did the trick !

I'm however quite surprised, my SPA504G takes much more time to display the result using HTTPS than HTTP (3 or 4 seconds instead of let's say 0).

Look at the timestamps in this example :

Feb 12 22:43:29 line 3 is extended function key for xml service.

Feb 12 22:43:29 cmxhttp: url=https://sub.myhiddendom.com/addr.php

Feb 12 22:43:29 [CMXHTTP] scheme = https

Feb 12 22:43:29 [CMXHTTP] scheme = 3

Feb 12 22:43:29 [create_tcp_netstrm1] use async to create tcp connection

Feb 12 22:43:30 connect succeed

Feb 12 22:43:30 [create_tcp_netstrm1] connect SUCCEED

Feb 12 22:43:33 [CMXHTTP] refresh time=0s, URL=

(...)

I also discovered that SPA does not support :

- wildcard certificates (*.domain.com) : not really a problem, just as a "reminder" here ;

- Server name Indication : more annoying, this would be good for those who have several certificates on the same IP.

You should "reply" to the message you are replying to, not to the original question.

I'm however quite surprised, my SPA504G takes much more time to display the result using HTTPS than HTTP (3 or 4 seconds instead of let's say 0). 

Of course. It is cryptography and it's take computing power. And the phone hardware has no power for such kind of computing. Use short private key (like 512b) to shorten the connection setup time (but at the cost of lower security).

- wildcard certificates (*.domain.com) : not really a problem, just as a "reminder" here ;

- Server name Indication : more annoying, this would be good for those who have several certificates on the same IP.

Wildcard certificates has been never standardized as far as I know. SNI is so new extension of SSL protocol. No implementation should depend on it. You need to use same solutions used in pre-SNI times, e.g. every HTTPS server needs it's own IP or port. It's not real issue here asi you can configure phones to use any port number you wish, you are not tied to default 443 port.

There are other problems related to SSL - SPA[35]xx accepts certificates even they are expired. SPA[12]xx ATA devices with firmware older than 1.3.2 doesn't check certificates at all, any certificate is considered valid.

Consider rating usefull responses - it will help others to found solutions.

Adam Goodfriend
Beginner

I can confirm that xml apps now work correctly in the latest firmware (only took 2 years). I have tested using a cert issued by cisco as mention in the original post. Unfortuantle this adds 3-4 seconds to each request making this unacceptable for production use. I am currently using a cisco 504g. I will test with a 514g and see if makes a difference.

Which key size ? Did you tried short key like 512 or even 384 bits ?

SPA514G may be somewhat faster as it's newer hardware ...

Following the directions in https://supportforums.cisco.com/docs/DOC-9852 I am using 1023

"Generate a private key which you will use to generate the certificate signing request

webserver# openssl genrsa -out 1024"

I am not sure if cisco will accept a smaller key.

This widget could not be displayed.