Deployment Tool with TLS
85
Use of TLS by an IP Phone
An IP Phone contains both a TLS server and a TLS client. The TLS server is
used with the phone's webserver and the phone's XML management in-
terface. The TLS client is used with the phone's telephony client. (The PC's
telephony server contains a TLS server, while the PC's web client and XML
management client are TLS clients). As discussed above, a TLS server re-
quires its own key material (private key and public key certificate chain). A
TLS client does not require certificates, if server authentication is not re-
quired.
Key material is hard-coded into the phone software to allow the phone's
TLS server to work by default. The default key material has a two certificate
chain consisting of the end-entity certificate and a self-signed CA certifi-
cate. Since the certificate chain is transported to the client during the TLS
handshake, the client can decide to trust the self-signed certificate, and
store it locally for subsequent authentication of other phones, if the client
software permits. Key material does not normally include the trusted cer-
tificate: the phone's default key material does, as a means of distributing it.
By default, the phone's TLS client is configured not to perform server au-
thentication, and has no default trusted certificate.
For improved security, the user can transfer their own server key material
and client trusted certificates to the phone, using the XML management
interface. The phone will use the new key material and trusted certificates,
in preference to the defaults. If the user supplies client trusted certificates,
the phone's TLS client will perform server authentication, which must be
successful to establish a TLS connection.
The key material is transferred in a single file, containing a private key and
matching public key certificate chain. The trusted certificates are trans-
ferred in a separate, single file, as an aggregate, not a chain. The phone
supports only one server key material file and one client trusted certifi-
cates file. The XML management interface allows the user to read back the
files, and delete them from the phone. The files are transferred over XML
in unencrypted PKCS#12 format.
Instructions for using the Deployment Tool with TLS
The Deployment Tool is a PC application for configuring batches of IP
Phones using the XML management interface.
Operating the XML Management Interface over TLS
The Deployment Tool is a TLS client, and authenticates the identity of the
TLS servers on the phones it configures. For this, it requires a subject DN
and a trusted CA certificate to validate the certificate chains received from
the phones during the TLS handshake. Once this is specified, no further
action is required to configure either TLS or non-TLS phones. The Tool it-
self determines whether or not to use TLS from the type of phone being
configured.