Configuring Security Features
205
negotiation with “Server Hello Done” message.
Step3: The IP phone sends session key information (encrypted by server’s public key) in
the “Client Key Exchange” message.
Step4: Server sends “Change Cipher Spec” message to activate the negotiated options
for all future messages it will send.
IP phones can encrypt SIP with TLS, which is called SIPS. When TLS is enabled for an
account, the SIP message of this account will be encrypted, and a lock icon will appear
on the LCD screen after the successful TLS negotiation.
Certificates
The IP phone can serve as a TLS client or a TLS server. The TLS requires the following
security certificates to perform the TLS handshake:
Trusted Certificate: When the IP phone requests a TLS connection with a server, the
IP phone should verify the certificate sent by the server to decide whether it is
trusted based on the trusted certificates list. The IP phone has 30 built-in trusted
certificates. You can upload up to 10 custom certificates to the IP phone. The format
of the certificates must be *.pem, *.cer, *.crt and *.der.
Server Certificate: When clients request a TLS connection with the IP phone, the IP
phone sends the server certificate to the clients for authentication. The IP phone
has two types of built-in server certificates: a unique server certificate and a
generic server certificate. You can only upload one server certificate to the IP
phone. The old server certificate will be overridden by the new one. The format of
the server certificate files must be *.pem and *.cer.
-
A unique server certificate: It is installed by default and is unique to an IP
phone (based on the MAC address) and issued by the Yealink Certificate
Authority (CA).
-
A generic server certificate: It is installed by default and is issued by the
Yealink Certificate Authority (CA). Only if no unique certificate exists, the IP
phone may send a generic certificate for authentication.
The IP phone can authenticate the server certificate based on the trusted certificates list.
The trusted certificates list and the server certificates list contain the default and custom
certificates. You can specify the type of certificates the IP phone accepts: default
certificates, custom certificates, or all certificates.
Common Name Validation feature enables the IP phone to mandatorily validate the
common name of the certificate sent by the connecting server.
Note
In TLS feature, we use the terms trusted and server certificates. These are also known as
CA and device certificates.
Firmware upgrade from version 71 to 72 will result in update of the default server
certificates.
Содержание SIP-T4X
Страница 1: ...T 4 XI PP h o n e A d mi n i s t r a t o r G u i d e...
Страница 2: ......
Страница 15: ...Administrator s Guide for SIP T4X IP Phones xiv...
Страница 23: ...Administrator s Guide for SIP T4X IP Phones 8...
Страница 217: ...Administrator s Guide for SIP T4X IP Phones 202...
Страница 233: ...Administrator s Guide for SIP T4X IP Phones 218...
Страница 245: ...Administrator s Guide for SIP T4X IP Phones 230...
Страница 256: ...Troubleshooting 241 Factory reset can restore the original password All custom settings will be overwritten after reset...
Страница 257: ...Administrator s Guide for SIP T4X IP Phones 242...