Administrator’s Guide for SIP-T2 Series/T19(P) E2/T4 Series/T5 Series IP Phones
806
Step2:
Server responds with “Server Hello” message selecting the SSL options, sends its public
key information in “Server Key Exchange” message and concludes its part of the negotiation
with “Server Hello Done” message.
Step3:
IP phone sends session key information (encrypted by server’s public key) in the “Client
Key Exchange” message.
Step4:
Server sends “Change Cipher Spec” message to activate the negotiated options for all
future messages it will send.
IP phones can encrypt SIP with TLS, which is called SIPS. When TLS is enabled for an account, the
SIP message of this account will be encrypted, and a lock icon appears on the LCD screen after
the successful TLS negotiation.
Certificates
The IP phone can serve as a TLS client or a TLS server. The TLS requires the following security
certificates to perform the TLS handshake:
Trusted Certificate
: When the IP phone requests a TLS connection with a server, the IP
phone should verify the certificate sent by the server to decide whether it is trusted based
on the trusted certificates list. The IP phone has 77 built-in trusted certificates. You can
upload 10 custom certificates at most. The format of the trusted certificate files must be
*.pem,*.cer,*.crt and *.der and the maximum file size is 5MB. For more information on 77
trusted certificates, refer to
Appendix C: Trusted Certificates
on page
Server Certificate
: When clients request a TLS connection with the IP phone, the IP phone
sends the server certificate to the clients for authentication. The IP phone has two types of
built-in server certificates: a unique server certificate and a generic server certificate. You
can only upload one server certificate to the IP phone. The old server certificate will be
overridden by the new one. The format of the server certificate files must be *.pem and
*.cer and the maximum file size is 5MB.
-
A unique server certificate
: It is unique to an IP phone (based on the MAC address)
and issued by the Yealink Certificate Authority (CA).
-
A generic server certificate
: It issued by the Yealink Certificate Authority (CA). Only if
no unique certificate exists, the IP phone may send a generic certificate for
authentication.
The IP phone can authenticate the server certificate based on the trusted certificates list. The
trusted certificates list and the server certificates list contain the default and custom certificates.
You can specify the type of certificates the IP phone accepts: default certificates, custom
certificates or all certificates.
Common Name Validation feature enables the IP phone to mandatorily validate the common
name of the certificate sent by the connecting server.
And Security verification rules are
compliant with RFC 2818.
Note
In TLS feature, we use the terms trusted and server certificate. These are also known as CA and
device certificates.
Resetting the IP phone to factory defaults will delete custom certificates by default. But this
feature is configurable by the parameter “static.phone_setting.reserve_certs_enable” using the
configuration file.
Summary of Contents for SIP-T19 E2 T4 Series
Page 1: ...63 ...
Page 532: ...Administrator s Guide for SIP T2 Series T19 P E2 T4 Series T5 Series IP Phones 510 ...
Page 734: ...Administrator s Guide for SIP T2 Series T19 P E2 T4 Series T5 Series IP Phones 712 ...
Page 814: ...Administrator s Guide for SIP T2 Series T19 P E2 T4 Series T5 Series IP Phones 792 ...
Page 850: ...Administrator s Guide for SIP T2 Series T19 P E2 T4 Series T5 Series IP Phones 828 ...
Page 887: ...Troubleshooting 865 The phone begins rebooting Any reboot of the phone may take a few minutes ...