I would assume (I may be wrong) that the CA used to secure TLS with the phone would require the phone conifg to specify the certificate AND have the certiciate loaded in the phone. (i.e. use this on, here it is). Have you checked the cfg files to see the certificate is specified?
On Wed, Apr 13, 2011 at 10:19 AM, Staffan Kerker <[email protected]> wrote: > I've installed the following chain of Polycom CAs in SipX (not via GUI > though) downloaded from http://pki.polycom.com/pki/ > > Polycom Root CA.crt > > Polycom Equipment Policy CA.crt > > Polycom Equipment Issuing CA 1.crt > > Maybe I shall install the last one as well, the "Polycom Issuing CA 2". I've > also, as mentioned, installed the SipX self-signed CA onto the Polycom phone > using the info in the SipX Wiki. The Wiki does not describe the procedure of > installing the Polycom Root CA in order to use TLS. It only talks about > getting the SipX CA cert onto the Polycom phone. What is required? Do we > really use mutual TLS authentication, or only server based authentication > (client authenticates server by installing the CA cert of SipX)? > Is anyone running SIP over TLS for Polycom phones? > //Staffan > > > > > On 13 apr 2011, at 15.08, Joegen Baclor wrote: > > I have proposed being able to upload phone CA via the config. I know there > are several CA for Polycom as documented in the site. Decrypt Error seems > to indicate that you have uploaded the wrong CA signature than what your > phone is sending. We need to pull some strings in Polycom to get into the > bottom of this. Perhaps one with subscription support? > > On 04/13/2011 07:58 PM, Staffan Kerker wrote: > > Hi all, > > I'm trying to get TLS working properly between the connected endpoints > (Polycom Soundpoint IP335) and the SipXproxy. No firewalls/NAT or anything > inbetween. > > I'm running v3.2.5 on the Polycoms and SipXecs version 4.4.0- > 2011-04-01EDT23:24:23 domU-12-31-39-0E-DD-81 > > I have followed the guide provided on the Wiki > (http://wiki.sipfoundry.org/display/sipXecs/Installing+the+Root+CA+Server+Certificate+on+the+Polycom+Phone) > and > (http://wiki.sipfoundry.org/display/sipXecs/Polycom+Phone+using+sipXecs+TLS+transport) > but still, no sucess. The polycom UI tells me that the SipX CA ceritifate is > installed > successfully on the phone and I've tried both using "All Certificates" and > "Custom Certificates" in the Polycom settings. > > However, no TLS. I look at the Wireshark traces and notice the the TLS > handshake is failing since (as far as I understand it) the Polycom is not > sending the correct client certificate to the > server. After server has sent Certificate, Certificate Request and > ServerHelloDone, the Polycom responds with a Certificate message containing > the Polycom certificates, not the by SipX > generated (and on the Polycom installed) certificate. This ends with a Fatal > Error and the Polycom falls back to TCP. > > First, the error was "Unknown CA" but after installing the Polycom chain of > root CA on SipX, it's now "Decrypt Error"... But the guide says nothing > about the need to install the Polycom device > Root CA on the SipX server in this situation. > > I'm confused... and would be very happy with some guidance... > > //Staffan > > > > > -- > Staffan Kerker > mail/sip/xmpp: [email protected] > > "Don't get involved in politics man, just play the gig..." /Sgt Floyd, > Electric Mayhem Band > > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > -- > Staffan Kerker > mail/sip/xmpp: [email protected] > "Don't get involved in politics man, just play the gig..." /Sgt Floyd, > Electric Mayhem Band > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.326.5325 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Contract Customers: http://support.myitdepartment.net Blog: http://blog.myitdepartment.net Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
