Setting up TLS on Aastra/Mitel phones

adolfoc · December 22, 2016, 10:24pm

This is my first attempt at doing this, so excuse my ignorance.
I’ve followed the setup on my FreePBX instance and extensions like it would be setup for a Sangoma phone as referenced here: http://wiki.freepbx.org/display/PHON/TLS+and+SRTP

But now I’m a little lost. I noticed EPM didn’t make any changes to the .cfg files for the phones.
So I’ve manually edited the provisioning config to include the following changes:
sip srtp mode: 2
sips trusted certificates: cert.pem
sip transport protocol: 4
sips persistent tls: 1

I also changed my proxy and register ports to 5061
and I copied cert.pem from /etc/asterisk/keys/ to /tftpboot/
But the phone does not register.

Do I need to explicitly set a path for the trusted certificate like tftp://mypbx.com/cert.pem ?
Or am I choosing the wrong certificate as the trusted certificate?
Anything else I could be missing?

I’m running FreePBX 13.0.190.9, using Chan SIP, and I’m testing with a few Aastra 6755i and 6867i phones.
The default certificate is from Let’s Encrypt.

tonyclewis · December 23, 2016, 12:24am

Correct we only setup the phone if Sangoma Phone. That wiki is part of the Sangoma Phone wiki and only is used for sangoma phones.

adolfoc · December 23, 2016, 6:04pm

I think I’m getting closer.
I was looking at how this is done on a Polycom VVX (http://community.polycom.com/t5/VoIP/FAQ-How-can-I-setup-a-TLS-connection-for-SIP-signaling-and-or/td-p/33018)
and discovered my trusted certificate does need to be loaded to the phone using a full path and it has to be either HTTP or FTP, not TFTP.
So I copied my cert.pem from /etc/asterisk/keys/ to /var/www/html/cert/
then edited the Aastra config to show a full path like:
sips trusted certificates: http://mypbx.com/cert/cert.pem

I’m also trying to test with a Polycom VVX 500 I have laying around.

Any chance in Sangoma developers adding TLS support to EPM for other phones?

tonyclewis · December 23, 2016, 7:53pm

No not at this time and if we donl it will be for certified partners only which neither Astra not Polycom are.

mitterhuemer · March 14, 2017, 11:31pm

I have the same competition now.
Maybe you can try to edit the basefile manually to get it working?

mitterhuemer · March 15, 2017, 1:20am

OMG No

I dont get it working on our Aastra Phones.

Tried all combinations of TLS, SSL Certs… no chance.

I followed the Wiki and created the Let’s Encrypt Cert
What files of the Let’s encrypt do i have to enter in my Aastra Phone?
Im giving this up. I try and try for hours and nothing works

Sometimes Asterisk Log Shows:
SSL3_READ_BYTES:tlsv1 alert unknown ca

mitterhuemer · March 15, 2017, 1:38am

[2017-03-15 02:38:12] ERROR[25164] tcptls.c: Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[2017-03-15 02:38:12] WARNING[25164] tcptls.c: FILE * open failed!