Polycom VVX Phones and TLS

I’m having an issue implementing TLS with Polycom VVX phones.

Than handshake completes successfully, but the following appears in the asterisk log and the phone never registers:

x.x.x.x = endpoint IP, y.y.y.y = PBX IP

[2017-03-08 12:05:20] ERROR[28463] pjproject: sip_transport. Error processing 588 bytes packet from TLS x.x.x.x:40147 : PJSIP syntax error exception when parsing 'Request Line' header on line 1 col 1:
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nREGISTER sip:y.y.y.y:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.x:40147;branch=z9hG4bKeb3d0ff47EDA7B3
From: "Server" <sip:[email protected]:5061>;tag=17445EF2-D0750F59
To: <sip:[email protected]:5061>
CSeq: 1 REGISTER
Call-ID: e6211a9ca3bc861037cb2cc20e80c842
Contact: <sip:[email protected]:40147;transport=tls>;methods="INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER"
User-Agent: PolycomVVX-VVX_201-UA/5.5.1.12442
Accept-Language: en
Max-Forwards: 70
Expires: 3600
Content-Length: 0


-- end of packet.

I do not have this issue with older SoundPoint IP devices, only the VVX devices. The SoundPoint IP’s register over TLS and complete calls using SRTP.

Obviously something has changed with the newer devices on the Polycom side of things. I was just wondering if anybody had seen this and if there was a solution.

-Christian

I have SIP over TLS and SRTP working with my VVX300 via chan_sip. Haven’t tried yet with chan_pjsip.

how did you get it to work? I tried with the sangoma phones and im hitting a hurdle on incoming calls from a sip trunk. Other then that it works fine. I also have not gotten polycom phones to work with TCP or TLS the phone just refuses to register.

My VVX 300 is on firmware 5.5.1.12442 but TLS and SRTP have worked correctly for many versions prior to that.

Follow this guide:

http://wiki.freepbx.org/plugins/servlet/mobile#content/view/64946938

And check out my attached screenshots.

@dmanolis79, that’s exactly the guide I followed.

I selected the commercial certificate I have installed on the system, and using the Polycom config files I installed the CA certificate for it. I also disabled Common Name Validation for SIP in the Polycom config since the certificate is issued for the host name of the PBX and it identifies as the IP address for TLS.

On the FreePBX side I did set verify client to “no” for testing. I’ve just got the factory installed certificates on the phones and I haven’t figured out how to add the Polycom CA certificate to FreePBX and I haven’t issued a self signed one to the phones yet.

I’ve only tested with PJSIP and it worked on the SoundPoint IP 550s I have, just not the VVX 201s 400s. Haven’t tested with CHAN_SIP yet, but we use the multiple contact feature of PJSIP for a few users, so I’d like to stick with it.

Try getting a temporary certificate for your PBX from a popular trusted authority. Maybe there is a bug in the Polycom phones when adding your own CA and a self-signed certificate.

As far as pj_sip goes, I have minimal experience with it.

I’ll have to give that a try, the cert I’m using is signed by Comodo so there shouldn’t be an issue with the CA cert… but who knows. I’ll also need to try one as chan_sip just to rule things out.

Since there error it’s giving me cites a PJSIP syntax error and it works fine with the older phones, I’m guessing that the newer phones are sending something that PJSIP isn’t expecting when attempting to register over TLS… Not sure if that’s a Polycom issue or a PJSIP issue. They do state that PJSIP is experimental and issues will pop up, but so far this is the only thing I’ve run across that hasn’t worked as expected.

Does the LetEncrypt Certificate work with polycoms?