Yealink SIP-T2 SERIES Administrator's Manual page 874

Administrator's Guide for SIP-T2 Series/T19(P) E2/T4 Series/CP860 IP Phones
Step4: Server sends ―Change Cipher Spec‖ message to activate the negotiated options
for all future messages it will send.
IP phones can encrypt SIP with TLS, which is called SIPS. When TLS is enabled for an
account, the SIP message of this account will be encrypted, and a lock icon appears on
the LCD screen after the successful TLS negotiation.
Certificates
The IP phone can serve as a TLS client or a TLS server. The TLS requires the following
security certificates to perform the TLS handshake:
Trusted Certificate: When the IP phone requests a TLS connection with a server, the

IP phone should verify the certificate sent by the server to decide whether it is
trusted based on the trusted certificates list. The
SIP-T48G/T46G/T42G/T41P/T40P/T29G/T27P/T23P/T23G/T21(P) E2/T19(P) E2 IP phone
has 31 built-in trusted certificates, and SIP VP-T49G/CP860 IP phone has 30 built-in
trusted certificates. You can upload 10 custom certificates at most. The format of the
trusted certificate files must be *.pem,*.cer,*.crt and *.der and the maximum file
size is 5MB. For more information on 31 trusted certificates, refer to
Trusted Certificates
Server Certificate: When clients request a TLS connection with the IP phone, the IP

phone sends the server certificate to the clients for authentication. The IP phone
has two types of built-in server certificates: a unique server certificate and a
generic server certificate. You can only upload one server certificate to the IP
phone. The old server certificate will be overridden by the new one. The format of
the server certificate files must be *.pem and *.cer and the maximum file size is
5MB.
A unique server certificate: It is unique to an IP phone (based on the MAC
-
address) and issued by the Yealink Certificate Authority (CA).
- A generic server certificate: It issued by the Yealink Certificate Authority (CA).
Only if no unique certificate exists, the IP phone may send a generic certificate
for authentication.
The IP phone can authenticate the server certificate based on the trusted certificates list.
The trusted certificates list and the server certificates list contain the default and custom
certificates. You can specify the type of certificates the IP phone accepts: default
certificates, custom certificates or all certificates.
Common Name Validation feature enables the IP phone to mandatorily validate the
common name of the certificate sent by the connecting server. And Security verification
rules are compliant with RFC 2818.
Note In TLS feature, we use the terms trusted and server certificate. These are also known as
CA and device certificates.
Resetting the IP phone to factory defaults will delete custom certificates by default. But
this feature is configurable by the parameter ―phone_setting.reserve_certs_enable‖
using the configuration files.
852
on page 938.
Appendix C: