netpro78 Posted September 8, 2017 Report Share Posted September 8, 2017 I am trying to utilize multiple certificates. I have a wildcard certificate as the server certificate. I have a regular certificate as well that I have uploaded as a domain certificate. When using the web portal, the system seems to always utilize the proper certificate for what I am accessing. The problem is when I have a phone trying to register to a specific domain, the system does not utilize the certificate that matches the domain I am trying to register to, it is utilizing the wildcard certificate instead. Since the phone does not like the wildcard certificate, the registration fails. My current setup is version 58.3 Polycom VVX 410 firmware version 5.60 Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 10, 2017 Report Share Posted September 10, 2017 That should in theory work. It is important that the client tell the PBX what domain to use, that is done with a TLS extension in the client hello. I would first make sure from a regular web browser that the PBX presents to the browser the right certificate. If that works, there must be a problem with the phone. Otherwise there must be a problem importing that certificate, for example the domain name does not match exactly the name in the certificate. Quote Link to comment Share on other sites More sharing options...
netpro78 Posted September 10, 2017 Author Report Share Posted September 10, 2017 Regular web browsers do not have the issue. Is there a specific name for the extension that presents the domain name in the client hello? Just trying to be as specific as possible when opening a ticket with Polycom. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 14, 2017 Report Share Posted September 14, 2017 Check if they support RFC 3546 (Server Name Indication). Quote Link to comment Share on other sites More sharing options...
netpro78 Posted September 22, 2017 Author Report Share Posted September 22, 2017 While I have a feature request open with the phone manufacturer, is it possible to specify a default certificate that is presented if the client does not support RFC 3546 (Server Name Indication) Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 22, 2017 Report Share Posted September 22, 2017 Usually you can use a wildcard certificate as the server certificate that will match most of the domains (e.g. *.best-pbx-ever.com) if all you clients use domain names with that kind of name. Quote Link to comment Share on other sites More sharing options...
netpro78 Posted September 22, 2017 Author Report Share Posted September 22, 2017 Since I am trying to support a phone that does not support server name identification, and it also does not accept wildcard certificates, I would like to set a default certificate that is issued whenever the client does not support server name identification. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 25, 2017 Report Share Posted September 25, 2017 Would that help much? In a multi domain environment you'll probably end up with the wrong certificate most of the time. The default is the server certificate right now (you can load wildcard certificates also into domains if they match). Quote Link to comment Share on other sites More sharing options...
netpro78 Posted September 26, 2017 Author Report Share Posted September 26, 2017 This worked well, and I also realized some details that I were not in the documentation. One of the confusing issues I was having is my wildcard, and my regular cert both have the same base domain name. My regular cert is xxx.yyy.mydomain.com. Wildcard certificate was *.mydomain.com. The problem was with regards to the web portal (the main reason I have the SSL cert is for the web portal, most all recent browsers support server name identification). If I put the wildcard at the domain level, then the server would utilize it when accessing xxx.yyy.mydomain.com. Technically it should not, and only match yyy.mydomain.com, and therefore it would not get to the server level traditional cert of xxx.yyy.mydomain.com that I needed to put there in the default position for phones that do not support server name identification. So the solution I found was to put the traditional cert at both the domain, and server level, and the wildcard only at the domain level, and everything worked fine. This should not pose much of an issue since very few customers require SIPS/SRTP, so by the time I get another customer that requires it, chances are their phones will support server name identification, or I will have filled the server up, and be on to the next one. This does lead to a potential feature request. If a domain could be bound to both a specific IP and port, then you could bind a certificate to the domain. This would make for a much more granular approach. It would also make sense to be able to select certs separately for HTTP versus SIP access Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 28, 2017 Report Share Posted September 28, 2017 Binding a domain to a specific IP would only work if all other domains bind to a specific (potentially another) IP as well. You could as well just run two instances of the PBX and bind each instance to the specific IP: But IMHO that is overly complicated. Every device should today support Server Name Indication as every device should support AES and actually TLS 1.2. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.