Client Auth for SPA504G over HTTPS?

Castile12 · ‎03-15-2016

Hi all,

So I am at my wits end with this, maybe I am missing something, so I hope someone can point out something I am doing wrong or if this is a bug. So firstly, my problem, I am trying to get some Cisco phones setup with remote provisioning over https. My issue right now is that I currently cannot enable client authentication and auth the phone, that I am using as a test, via its internal certificate. However from what I can gather via wireshark that the connection between the phone and the webserver is over TLS, so that part looks good.

Right now I am just trying to to get a working proof of concept. The phone I am using is a Cisco SPA504G that was upgraded to the latest software firmware 7.6.1. I am using CentOS 7 and Nginx 1.8.1 as my web server. I followed this guide - http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/csbpvga/ata/provisioning/guide/Provisioning.pdf in combination with https://supportforums.cisco.com/document/36871/certificate-signing-request-csr-signed-ssl-certificates-spa-voice-products and some of the threads in this community about the matter.

Firstly, I have generated multiple keys as a test with the following command (some are as written in the original guide, 1024 vs 2048 did not make any difference):

openssl genrsa -out cisco-2048.key 2048

Afterwards, I tried to generate a CSR by doing the following command:

openssl req -new -key cisco-2048.key -out cisco-2048.csr

I should also note, I tried adding -sha256 as well (since it appears as sometime, up to that firmware, they support sha256), but that didn't really do anything.

Afterwards, I submitted the CSR via the https://webapps.cisco.com/software/edos/home#csrManagement.

I will say I found the next part to be confusing for two reasons. Firstly because SPA5xx is written in 3/4 places, as shown below:
- PAP2T/WRP400/SPA2xxx/SPA3xxx/SPA9xx/SPA3xx/SPA5xx
- PAP2/WRTP/RTP
- SPA1xx firmware 1.3.3 and newer/SPA232D firmware 1.3.3 and newer/SPA5xx firmware 7.5.6 and newer
- SPA1xx/SPA232D/SPA3xx/SPA5xx/SRP5xx

So from what I can gather, I am supposed to select "SPA1xx firmware 1.3.3 and newer/SPA232D firmware 1.3.3 and newer/SPA5xx firmware 7.5.6 and newer", since I am using a SPA504G phone upgraded to 7.6.1. Although I have tried with the others to see if they make any difference, but no dice.

One thing I also want to add is that regardless of stating sha256 in the certificate request. The certificate I get back from the CSRManagement page, comes back with sha1, not sha256 (which may or may not be the cause of the issue).

The CSR gets signed and I add it to my server. I also downloaded the "Combined Client Root Certificate" from the CSRManagement page of the link above. Since I am using Nginx, my config looks like the following:

server {
    listen       443 ssl;
    server_name <fqdn-here>;
    ssl on;
    ssl_certificate      /etc/nginx/ssl/cisco-2048.crt;
    ssl_certificate_key /etc/nginx/ssl/cisco-2048.key;
    ssl_verify_depth 2;
    ssl_verify_client on;
    ssl_client_certificate /etc/nginx/ssl/combined-client.crt;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'DHE-RSA-AES256-SHA';
    ssl_prefer_server_ciphers off;
    location / {
        root   /usr/share/nginx/html;
        index index.html index.htm;
    }
}

ssl_certificate = The certificate file that was downloaded from the CSRManagement page.

ssl_certificate_key = The key that was generated as a result of the openssl genrsa... command above.

ssl_verify_depth 2 = The equivalent of Apache's SSLVerifyDepth.

ssl_verify_client on = Enable client certificate verification.

ssl_client_certificate = The certificate file I downloaded from the "Combined Client Root Certificate" on the Certificate Management page.

So as previously mentioned, if I set ssl_verify_client to off, I do get TLS encryption and the phone can grab the demo config (a simple basic.txt file as outlined in the Provisioning.pdf). However, when I turn it to on, I cannot get any authentication.

On the phone itself, I set the Profile Rule to equal https://host.domain.com:443/basic.txt, and rebooted to try and get the config.

The phone syslog states:

SPA504G --:--:--:--:--:-- -- Requesting resync https://--.--.--.--:443/basic.txt
SPA504G --:--:--:--:--:-- -- Requesting resync https://--.--.--.--:443/basic.txt
FMM >>>> Requesting profile
[create_tcp_netstrm1] use async to create tcp connection
connect succeed
[create_tcp_netstrm1] connect SUCCEED
create ssl connection failed
SPA504G --:--:--:--:--:-- -- Resync failed: https_get failed
SPA504G --:--:--:--:--:-- -- Resync failed: https_get failed
FMM >>>> Failed profile

Nginx error.log states:

SSL_do_handshake() failed (SSL: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm) while SSL handshaking

Each time a connection is attempted, from what I can tell is that it leads back to a SHA error typically associated with old versions of OpenSSL (which is not the case since I am using OpenSSL 1.0.1), but I am not entirely sure how to fix it.

I will add I am not extremely knowledgeable with SSL/TLS certificates, so I apologize in advance if I am missing something.

Philip D'Ath · ‎03-15-2016

Check out this https provisioning guide.

https://supportforums.cisco.com/document/96471/spa-certificate-authority-ca-list

Dan Lukes · ‎03-16-2016

Read Zero touch provisioning from F/W 7.3.7 up to 7.6.1, please - I prefer not to respond same twice within during one week.

Ask if something remain unclear then.

According digest used - read this comment. The support for various digests is mentioned here (just under the table with benchmark).

Castile12 · ‎03-16-2016

So I read the thread you linked me above, I generated the cert using the first option this time as you told brent.

So the only allowed digest is md5? That is confusing as the documentation mentions sha1, and Cisco mentioned support for sha256.

Dan Lukes · ‎03-16-2016

SHA1 is considered "default". MD5 has been recognized by me as "It also works".

Note has tested supported digest alghoritms on 1.3.3 (SPA112) and 7.5.5 (SPA50x). The newest versions may support SHA256. SO try it if you wish to use it.

I'm not aware the Cisco mentioned the SHA256 as supported here, but may be I missed such announcement.

Philip D'Ath · ‎03-16-2016

I wouldn't risk using SHA256 at the moment. You are going to get phones with different firmware versions on them, and almost certainly the older phones wont support it. You would be locking yourself into a very limited set of options using SHA256 at the moment.

Castile12 · ‎03-16-2016

Why not just upgrade them all to the latest firmware first?

Philip D'Ath · ‎03-16-2016

And are you going to push out that upgrade over the provisioning system (which is what we do)?

And is that happening over https? If so, the old firmware wont be able to connect because of SHA256 to get the new firmware which does support SHA256.

Dan Lukes · ‎03-16-2016

Just note the SPA devices need to be considered not hardened enough to be exposed to public. For some firmware version it's necessary to isolate phones from each other even in single LAN to gain secure network (e.g. 'private LAN' in CIsco terminology).

In such controlled environment you may consider SHA1 to be safe enough.

And if you don't care the security so much, so you will not arrange isolated secure LAN, you should not care the SHA1 is not latest digest algorithm as well.

Dan Lukes · ‎01-12-2021

I submitted the CSR via the https://webapps.cisco.com/software/edos/home#csrManagement

It has been moved to https://software.cisco.com/software/cda/home