Avaya SBC delivering Certificate to j129 phones over port 443

[pontim]

Hi,
I've been testing a scenario with j129 phones over tls. The phones are provisioning themselves with the Root CA certificate over port 443. For some reason the certificate is being downloaded automatically but i thought i had to upload the certificate first to be able to use port 443 and https to download the phone settings.

Is there a way to make it work that way and not have the SBC and Ip Office deliver it to the phone automatically? In the case of the softphones i have to previously install the certificate to be able to download the settings over https.


Thanks!

 

[derfloh]

Probably the J129 phones by default trust all TLS servers, regardless if the know the CA or not. Eventually there is an option to disable this behavior but as it is the default setting, I would say it will not help you. But... In case someone hijacks you FQDN they wouldn't work anymore.

What you could do is adjust the reverse proxy setting in the SBC to not allow download of WebRootCA.pem. I.e. you can forward '/WebRootCA.pem' to a non existing destination like '/thereisnocert.pem'.

 

[sizbut]

Its kind of chicken and egg (and by the way it was the egg). You can't provision phones with a certificate over 443 (HTTPS) without the phones already having a certificate. So the Avaya design has always allowed new/defaulted phones to start on HTTP in order to get the certificate and the instructions to switch from HTTP to HTTPS.

When there's an SBC in the middle, the easy option is for the SBC to only allow HTTPS file transfers. For new phones, you then either initially configure them internally, so that they get the certificate/settings directly and you then take them to the remote site, or use a provisioning server (HTTP file server on your own PC) to feed them the cert file and a minimal settings files that tells them the true file server address and to use HTTPS.

 

[pontim]

The way i thought about doing it is loading up the cert via web management of the phone, once its on the local network i can supply the cert.
That part would be solved, the issue is the auto provissioning of the cert, thats what i don't consider secure.

I'll check your suggestions and let you know which one i found to be the best solution overall.

Thanks a lot!

 

[pontim]

Probably the J129 phones by default trust all TLS servers, regardless if the know the CA or not. Eventually there is an option to disable this behavior but as it is the default setting, I would say it will not help you. But... In case someone hijacks you FQDN they wouldn't work anymore.

What you could do is adjust the reverse proxy setting in the SBC to not allow download of WebRootCA.pem. I.e. you can forward '/WebRootCA.pem' to a non existing destination like '/thereisnocert.pem'.

I've been trying to ge tthis to work but i have no possitive results. I'm using the replace URL fields but it does nothing. I can still get the cert and even 46xxsettings files are visible which i dont really think is safe either :/

 

[derfloh]

The default entry '/' is like.a wildcard that matches any URL.

So you have to create entries for 46xxsettings.txt and other needed URLs and remove,the / enrry