Sangoma Phones Root CA

Do Sangoma Phones have a client cert from Sangoma? for a more Secure Zero touch Provisioning?

Yealink and Snom have this. I dont need to setup the full Remote Provisioning URL with User and Password into the RPS Server of the Manufacturer.

I can provision phones from outside without securing the url with a user and password.
SSLCACertificateFile /etc/httpd/pki/snom/certs.crt
SSLVerifyClient require
SSLVerifyDepth 2

Only the manufacturer has the private key and every phone has his own client certificate.

Does Sangoma also have this feature for their phones?

http://wiki.freepbx.org/display/PHON/Redirect+Service

Thank you,
can i have the Sangoma Root ca for Download, so i can also Secure my Webserver with this cert?

Sorry, that certificate is only available to sign our phones. It would be a bit silly if we started trying to replace letsencrypt!

That is really scary. That means I can point any snom phone to your PBX http port without a username and password and it will let me connect. Unless I am missing something here that defeats the purpose of security.

You can’t secure your web server with the certificate you are requesting.

Certificates work in combination with a private key. The root CAs are available for download from all providers so that your devices can recognize the authenticity of a fully qualified domain name assigned to a specific server.

You will never have access to the private key of a certificate authority.

Yes you are right. Thats the way snom told me how to secure the webserver for their redirection server, otherwhise anyone can see the credentials to our provisioning server. Also the Snom M700 doesnt support provisioning with username:[email protected]

http://wiki.snom.com/Category:HowTo:Secure_Web_Client

Do you understand how web of trust with Certs work? If not I suggest you investigate. What you proposed here is 100% not secure.

With this setting this means any Snom or Yealink phone can hit your server and pass your security measure and now can access any file in the provision server. It would take average person all of 5 mins to get a valid cert from a legit snom or yealink phone and use it with a 20 like bash script and I have full access to your system.

Sounds like their redirect server is not very secure if anyone can see your username and password. Suggest you not use that redirect server.

1 Like

But thinking of using the phone anywhere without provisioning any settings is a nice feature. Many providers use snoms and yealinks redirect server. In your oppinion that means every provider who is using snoms redirect server, they risk to get hacked because it is not secure?

May it also be possible to grab a client cert from an sangoma phone? This would also give me access to sangomas rps server and there is the stored url to our pbx with credentials???

Of course someone could hack a cert off the Sangoma phone and hit our RS server with the cert but we would only give you the URL for that 1 specific phone so it would be useless since you physically would have to have access to the phone to hack the cert off which means you could just log into the phone and see the URL direct.

The difference here is you are relying on the CA root from the manufacture to pretend to secure your provisioning server and all that does is verify its a legit cert from the manufacture so once I pass that i can ask for the whole range of MACs from your server and have it give me back your configs instead of protecting your provisioning server with a proper username and password.

Do you have any suggestions to make autoprovisioning secure and possible?

My suggestion is adding the phone to the provisioning server only for a short time then deregister the phone after one week we delivered the phone to the customer.

I talk here about a general way for all manufacturers and not only for sangoma phones :slight_smile:

Hi again,
i tried a secure config with NGINX as a Proxy Server with SSL

NGINX looks up the common name of the phone and checks with url.

This is the official way from Snom when customers want to use “cloud provisioning”

This NGINX Config is tested with a Snom720 and M700
It checks the common Name of the Client Cert.
The phone can only get his own Config. anything else returns 401

server {
    listen 1445 ssl;
    server_name SERVER_NAME;

    ssl_certificate /etc/httpd/pki/webserver.pem;
    ssl_certificate_key /etc/httpd/pki/webserver.key;
    ssl_client_certificate /etc/httpd/pki/snom/certs.crt;
    ssl_ciphers ALL:-RC4+SSLv2;
    ssl_verify_client on;
    ssl_verify_depth 2;
    set $ssl_client_s_dn_cn "000";
   location ~ .* {


if ($ssl_client_s_dn ~ "CN=([0-9A-Z]{12})") {
 set $ssl_client_s_dn_cn $1;
 }

 if ($request_uri ~ "^/snom(.{2,4})-(.{12}).htm$") {
 set $req_mac $2;
 }

if ( $ssl_client_s_dn_cn != $req_mac) {
 return 401;
 }


proxy_pass http://127.0.0.1:84;
 proxy_set_header X-Ssl-Client-Auth $ssl_client_verify;
 proxy_set_header X-Ssl-Client-Dn $ssl_client_s_dn;
 proxy_set_header X-Ssl-Client-Dn-Cn $ssl_client_s_dn_cn;
 proxy_set_header X-Ssl-Client-Issuer $ssl_client_i_dn;
 }
 }

This config should work with yealink,
i had only a T48G for testing here.

server {
    listen 1446 ssl;
    server_name SERVER_NAME;

    ssl_certificate /etc/httpd/pki/webserver.pem;
    ssl_certificate_key /etc/httpd/pki/webserver.key;
    ssl_client_certificate /etc/httpd/pki/yealink/ca.crt;
    ssl_ciphers ALL:-RC4+SSLv2;
    ssl_verify_client on;
    ssl_verify_depth 2;
    set $ssl_client_s_dn_cn "000";
   location ~ .* {


if ($ssl_client_s_dn ~ "CN=([0-9a-z]{12})") {
 set $ssl_client_s_dn_cn $1;
 }

 if ($request_uri ~ "([0-9a-z]{12})") {
 set $req_mac $1;
 }

if ($req_mac = "y00000000000") {
return 404;
}
if ($req_mac = "y00000000003") {
return 404;
}

if ( $ssl_client_s_dn_cn != $req_mac) {
 return 401;
 }


proxy_pass http://127.0.0.1:84;
 proxy_set_header X-Ssl-Client-Auth $ssl_client_verify;
 proxy_set_header X-Ssl-Client-Dn $ssl_client_s_dn;
 proxy_set_header X-Ssl-Client-Dn-Cn $ssl_client_s_dn_cn;
 proxy_set_header X-Ssl-Client-Issuer $ssl_client_i_dn;
 }
 }

As stated already this is not solving anything. Not sure why you want to keep posting things that are not solving the problem. Without proper username and password with provisioning you are wide open.

This is for cloud provision ZTP.

  1. Every phone also has his own client cert with a client own common name
  2. With this config it shouldn’t be possible to access the webserver with any other phone than the ones we use.
  3. Every phone can only get his own config any other try returns 401

This is already very secure for Zero Touch Provisioning.
Where is the problem? I dont know how to secure it more than it is now. Many big companies sell Cloud PBX Systems and offer Snom or Yealink phones and all have enabled ZTP.