Mailing List Archive

Third Party Softphone w/ TLS
Does anyone have a working configuration of using a third party SIP softphone with TLS? I have it working with Cisco phones and Jabber, but am trying to get a third party client working. I'm on CUCM 12.0.

So far, I'm running into an issue with the TLS handshake. The client is using TLS 1.0, and I confirmed that my CUCM nodes do support 1.0. I've put the CallManager cert in the trusted root (local machine) on the Windows client. When attempting to register the client, CUCM gives an error "peer did not return a certificate." That led me to think that I would need to get a signed cert uploaded as a CM-trust cert. I opened a ticket with TAC to ask if that's the case (would rather not have to do a client cert if I don't need to) and they suggested I may not need one. I haven't been able to get more out of them on this yet (after a week), so I figured I'd ask here.

Tim Johnson
Voice & Video Engineer
Central Michigan University
Re: Third Party Softphone w/ TLS [ In reply to ]
I think enabling Digest Authentication on the Phone Security Profile is the
workaround to not need mutual TLS.

Do you have Digest Authentication checked on the Phone Security Profile and
an end user set as the digest user on the phone config and a digest
password configured under the end user?

On Thu, Jan 21, 2021 at 11:56 AM Johnson, Tim <johns10t@cmich.edu> wrote:

> Does anyone have a working configuration of using a third party SIP
> softphone with TLS? I have it working with Cisco phones and Jabber, but am
> trying to get a third party client working. I’m on CUCM 12.0.
>
>
>
> So far, I’m running into an issue with the TLS handshake. The client is
> using TLS 1.0, and I confirmed that my CUCM nodes do support 1.0. I’ve put
> the CallManager cert in the trusted root (local machine) on the Windows
> client. When attempting to register the client, CUCM gives an error “peer
> did not return a certificate.” That led me to think that I would need to
> get a signed cert uploaded as a CM-trust cert. I opened a ticket with TAC
> to ask if that’s the case (would rather not have to do a client cert if I
> don’t need to) and they suggested I may not need one. I haven’t been able
> to get more out of them on this yet (after a week), so I figured I’d ask
> here.
>
>
>
> Tim Johnson
>
> Voice & Video Engineer
>
> Central Michigan University
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: Third Party Softphone w/ TLS [ In reply to ]
Did you restart tomcat after adding the trust? Seems that is the thing with Cisco these days….. and I am told that in newer versions, restarting the server will be required, as restarting the service isn’t enough…. Only thing I though of was ok windows….

> On Jan 21, 2021, at 9:55 AM, Johnson, Tim <johns10t@cmich.edu> wrote:
>
> Does anyone have a working configuration of using a third party SIP softphone with TLS? I have it working with Cisco phones and Jabber, but am trying to get a third party client working. I’m on CUCM 12.0.
>
> So far, I’m running into an issue with the TLS handshake. The client is using TLS 1.0, and I confirmed that my CUCM nodes do support 1.0. I’ve put the CallManager cert in the trusted root (local machine) on the Windows client. When attempting to register the client, CUCM gives an error “peer did not return a certificate.” That led me to think that I would need to get a signed cert uploaded as a CM-trust cert. I opened a ticket with TAC to ask if that’s the case (would rather not have to do a client cert if I don’t need to) and they suggested I may not need one. I haven’t been able to get more out of them on this yet (after a week), so I figured I’d ask here.
>
> Tim Johnson
> Voice & Video Engineer
> Central Michigan University
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip <https://puck.nether.net/mailman/listinfo/cisco-voip>
Re: Third Party Softphone w/ TLS [ In reply to ]
I looked at how to secure this briefly for a polycom endpoint and the explanation in that documentation was that you had to supply a certificate as the client.
So, from that much your assessment that the softphone needs to be presenting some sort of client certificate sounds about right.

I would be curious to hear what the outcome is, as we're starting to let in some more 3rd party devices from Axis, ClearOne, Crestron. 9/10 times I ask about SRTP and SIPS support and the customer has no idea what I'm talking about, but some day someone is going to call my bluff.

I'm not sure what your application is but a targeted VPN connection is probably going to be an easier lift, especially if you're going to enable TLS 1.0.

Adam


From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Kent Roberts
Sent: Thursday, January 21, 2021 6:35 PM
To: Johnson, Tim <johns10t@cmich.edu>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Third Party Softphone w/ TLS

Did you restart tomcat after adding the trust? Seems that is the thing with Cisco these days..... and I am told that in newer versions, restarting the server will be required, as restarting the service isn't enough.... Only thing I though of was ok windows....


On Jan 21, 2021, at 9:55 AM, Johnson, Tim <johns10t@cmich.edu<mailto:johns10t@cmich.edu>> wrote:

Does anyone have a working configuration of using a third party SIP softphone with TLS? I have it working with Cisco phones and Jabber, but am trying to get a third party client working. I'm on CUCM 12.0.

So far, I'm running into an issue with the TLS handshake. The client is using TLS 1.0, and I confirmed that my CUCM nodes do support 1.0. I've put the CallManager cert in the trusted root (local machine) on the Windows client. When attempting to register the client, CUCM gives an error "peer did not return a certificate." That led me to think that I would need to get a signed cert uploaded as a CM-trust cert. I opened a ticket with TAC to ask if that's the case (would rather not have to do a client cert if I don't need to) and they suggested I may not need one. I haven't been able to get more out of them on this yet (after a week), so I figured I'd ask here.

Tim Johnson
Voice & Video Engineer
Central Michigan University

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C89889ba47937406ba85a08d8be65945e%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637468691204196313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=7CE7FuyYodBs7KBAjD7sf3Swz7iQQzzhZssxcvqyHMk%3D&reserved=0>