Jump to content
Vodia PBX forum
corona

Different Certificate used in HTTPS and TLS?

Recommended Posts

Hi,

 

Could anyone help me on getting the certificate working on our Snom ONE? We bought a RapidSSL certificate for our SIP server, and I can see the server uses the new certificate in HTTPS connection right after I install the certificate. I then turn on the strict certificate verification option in our snom phone to get better security over the connection. However, the phone shows that the server does not uses the purchased certificate. Instead, it still uses self-generated certificate in the TLS connection. Could anyone shed some light for me?

 

Attached is some information that may be helpful.

 

TLS_Certificate_from_Server.jpg: The TLS certificate that the phone receives from the server.

Certificate_Installed_on_Server.jpg: I have installed the purchased certificate as every type in the server.

sip_error.txt: The error message from the phone log.

post-2250-0-19194600-1304697624_thumb.jpg

sip_error.txt

post-2250-0-11728500-1304697909_thumb.jpg

Share this post


Link to post
Share on other sites

I just tried, but it still did not work..:(... I converted the Equifax_Secure_Certificate_Authority.cer to DER format and uploaded to the phone. I also cleaned up the certificates in the Snom One server as well, and only the purchased certificate and the Equifax_Secure_Certificate_Authority certificate were kept.

 

I still got the same error message from the phone:

[1] 8/5/2011 00:09:49: TLS: Could not verify certificate <Country: DE; State: Berlin; Locality Berlin; Organization: Snom Technology AG; Common Name: 000413440000; eMail: >. Unknown issuer <Country: DE; State: Berlin; Locality Berlin; Organization: Snom Technology AG; Common Name: snom ONE intermediate; eMail: >.

[1] 8/5/2011 00:09:49: TLS: Refusing TLS connection. Invalid or unknown Certificate received

 

From the "Common Name" field, I think the certificate got rejected by the phone is generated by the Snom ONE server? This also means the server didn't use the certificate I provided, but generated one by itself instead.

post-2250-0-82149700-1304784948_thumb.jpg

Share this post


Link to post
Share on other sites

I just tried, but it still did not work..:(...

 

Umm... this is getting more interesting now. I just figured out that, the server will use different certificates in HTTPS connection with different browsers, and only FireFox (both 3.6 and 4.0) could make the server use the correct certificate.

 

My test result:

 

FireFox: correct certificate used

IE 8.0: self-generated certificate used

Chrome 11: self-generated certificate used

IE 9.0: Internet Explorer cannot display the webpage (duh!!)

 

It seems that the Snom ONE server has different HTTPS/TLS behavior with different agents (which cause my problem). Does anyone see this as well?

 

Server version: 2011-4.2.0.3981 (FreeBSD)

License Status: snom ONE blue

 

 

Edit: I added our certificate as the "Server certificate chain + private key". But when I connect to the server using its IP Address, the server still uses self-generated certificate. Is this a correct behavior?

Edited by corona

Share this post


Link to post
Share on other sites

It even gets more confusing... snom m9 does support server-extensions, where the phone can tell the PBX which domain to use. The other phones (3xx, 8xx) don't support that. m9 and 8xx include certificates signed yb snom Root CA, so that the PBX can authenticate the phones with client certificates.

 

If you are using 3xx phones, you should probably not load a domain certificate, but a server certificate chain for the whole PBX. Notice that you might have to include the chain, if the path from the Root CA to the certificate includes intermediate certificates.

 

I know, this whole thing sounds like rocket science and I have to say, it probably is.

Share this post


Link to post
Share on other sites

It even gets more confusing... snom m9 does support server-extensions, where the phone can tell the PBX which domain to use. The other phones (3xx, 8xx) don't support that. m9 and 8xx include certificates signed yb snom Root CA, so that the PBX can authenticate the phones with client certificates.

 

If you are using 3xx phones, you should probably not load a domain certificate, but a server certificate chain for the whole PBX. Notice that you might have to include the chain, if the path from the Root CA to the certificate includes intermediate certificates.

 

I know, this whole thing sounds like rocket science and I have to say, it probably is.

 

It is still easier than Calculus, IMHO..:P...

 

I actually have added our certificate as the server certificate for the PBX, and I also added the certificate from Equifax Secure Certificate Authority as the root CA for both server and client. But Snome ONE still uses self-generated certificate. (I have also tried to add our certificate + Equifax certificate as the server certificate as well)

 

I think the problem is that Snom ONE will uses self-generated certificate when the client requests a certificate using IP address. An easy way to test is to connect the server using https://ip.address/ and you can see that Snom ONE responds with self-generated certificate even if a server certificate is assigned. Could you test it?

 

Have a nice day.

Share this post


Link to post
Share on other sites

Right, the domain key is only used if the requested domain (through TLS server extensions) matches exactly the domain name.

 

Try to delete the domain certificate (+ private key) and import the certificate and private key as server certificate. That should override the default key. If you have only one domain, this is definitevely the easier/right way to solve the probelm.

Share this post


Link to post
Share on other sites

Right, the domain key is only used if the requested domain (through TLS server extensions) matches exactly the domain name.

 

Try to delete the domain certificate (+ private key) and import the certificate and private key as server certificate. That should override the default key. If you have only one domain, this is definitevely the easier/right way to solve the probelm.

 

I just tried, but still couldn't get the certificate to work. I deleted the domain certificate first. I then installed our certificate + private key as the server certificate. I also tried to install our certificate with Equifax root CA + private key, both does not work. Snom ONE will use self-generated certificate in HTTPS connection afterward.

 

Any ideas?...

Share this post


Link to post
Share on other sites

I just tried, but still couldn't get the certificate to work. I deleted the domain certificate first. I then installed our certificate + private key as the server certificate. I also tried to install our certificate with Equifax root CA + private key, both does not work. Snom ONE will use self-generated certificate in HTTPS connection afterward.

 

Any ideas?...

 

I can offer our login credentials if you have time to check it out. (but I can't send a PM to you though.)

Share this post


Link to post
Share on other sites

So we invested the 12.95 and bought a certificate from RapidSSL. These steps worked for us:

 

Copy the certificate that you have received from RapidSSL in the email into the Certificate input box, followed by the intermediate CA (in the same input box, leave an empty line between them). Copy the private key into the private key section (we modified the private key a little in this port in order to keep it private). Then select "Server certificate chain + private key" and hit save. There is not restart neccessary.

 

 

Certificate input field:

 

-----BEGIN CERTIFICATE-----
MIIEzjCCA7agAwIBAgIDAaGTMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNTA3MjAxOTQ1WhcNMTIwNTA5MjE0NTE0WjCB5TEpMCcGA1UEBRMgTDNh
LzhBLTJWL0FSYjZXNnpCdGdtUW4vTGx5Ukdqd24xCzAJBgNVBAYTAkRFMRgwFgYD
VQQKEw9pbnRlcm4uc25vbS5jb20xEzARBgNVBAsTCkdUNjI5OTA5MzUxMTAvBgNV
BAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMTExLzAt
BgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRgw
FgYDVQQDEw9pbnRlcm4uc25vbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQD1p5trB4sUSpoJJDc+puQS0J8aTNUgAk6ZQSJrBZpNYZ+e32QEQxJ2
Fv4XHrWEYxFo8CPDsqg7jm0MkchU0Il+/NoDF+/dkaaUTpEM0onJJzrR3C1m8hh9
EF9+QQ9T4A683NE+7+ikc2w918QYwmQrMinqvLMZH3S9wxrrQzzsyUYqbrpQDIc2
Wx37+WfwTPVJLONeZAVtn9DwxypQZz7XZ5A9xXPhVHeAZSHtYAelNkZyq1u6+NdJ
DmUiQ/RdujTvBV7WqR8nw543AuWgkpzCMiJhZao+OuQc7I7Foyehws7b4055rEbc
WcZ0biYxGWpVayMqNG8b3ShL9vyDikuTAgMBAAGjggEtMIIBKTAfBgNVHSMEGDAW
gBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMBoGA1UdEQQTMBGCD2ludGVybi5zbm9tLmNv
bTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0
LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQUfjJNyE9Ek8YLHk70F6Qb
XHYrkSswDAYDVR0TAQH/BAIwADBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKG
LWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDAN
BgkqhkiG9w0BAQUFAAOCAQEAYKlsM/8rmM/ES8doaHwVtGsqMGauym5RrOSG/AqD
XwTNIe2r+lppO43hRk8S6m4HQ+H5LjyQXJH7pXSidQZZ2gEgoCkWv+jvr6p5laTa
qrSqxn48fWfA7LDClUGMXbVPUvO85NstSpPK5sBpJgs6kNhYh+TSOdKSOnU+I+im
JNwffD6iY1Kid7CIwrBKC3EU4ZCzFt3DSaJQik+30hLTmJ7HOgQ4PmSZk5vXfTJO
UU8Xw5S6bEWBRA4zd60i9FDe0Ndaq9h0hFzfyjj40aeLN51OmpW69JxRFVN9gd0I
/CWr9bxNMoni/VaJRgbUHx5zf482awCJCWW0Rb0+YuQ9hQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

 

Private key input field:


-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA9aebaweLFEqeCSQ3PqbkEtCfzkzVIAJOmUEiawWaTWGfnt9k
BEMSdhb+Fx61hGMRaPAjw7KoO45tDJHIVaCJfvztAxfv3ZGmlE6RDNKJySc60dwt
(sorry for not sharing everything with you guys)
Ke/n64czAr/QJIsMd9JXLKijRrW3GfnVLPmlggP/rrOXpZ22dCH1fI1JXNUIXpya
pmXpaEzgdAGw1YoOTf2JTaSGjZM5yGahUs0v5id9GvZn+dIJcO78cg==
-----END RSA PRIVATE KEY-----

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×