Table of Contents
Advertisement
The following figure illustrates the TLS messages exchanged between the IP phone and TLS server to establish an
encrypted communication channel:
Step1: IP phone sends "Client Hello" message proposing SSL options.
Step2: Server responds with "Server Hello" message selecting the SSL options, sends its public key information in
"Server Key Exchange" message and concludes its part of the negotiation with "Server Hello Done" message.
Step3: IP phone sends session key information (encrypted by server's public key) in the "Client Key Exchange"
message.
Step4: Server sends "Change Cipher Spec" message to activate the negotiated options for all future messages it
will send.
IP phone can encrypt SIP with TLS, which is called SIPS. When TLS is enabled for an account, the SIP message of
this account will be encrypted, and a lock icon appears on the touch screen after the successful TLS negotiation.
Certificates
The IP phone can serve as a TLS client or a TLS server. The TLS requires the following security certificates to
perform the TLS handshake:
•
Trusted Certificate: When the IP phone requests a TLS connection with a server, the IP phone should
verify the certificate sent by the server to decide whether it is trusted based on the trusted certificates list.
The IP phone has 30 built-in trusted certificates. You can upload 10 custom certificates at most. The
format of the trusted certificate files must be "*.pem", "*.cer", "*.crt" and "*.der" and the maximum file size is
5MB. For more information on 30 trusted certificates, refer
•
Server Certificate: When clients request a TLS connection with the IP phone, the IP phone sends the
server certificate to the clients for authentication. The IP phone has two types of built-in server certificates:
a unique server certificate and a generic server certificate. You can only upload one server certificate to
the IP phone. The old server certificate will be overridden by the new one. The format of the server
certificate files must be "*.pem" and "*.cer" and the maximum file size is 5MB.
The IP phone can authenticate the server certificate based on the trusted certificates list. The trusted certificates list
and the server certificates list contain the default and custom certificates. You can specify the type of certificates
the IP phone accepts: default certificates, custom certificates or all certificates.
Common Name Validation feature enables the IP phone to mandatorily validate the common name of the certificate
sent by the connecting server.
Matrix SPARSH VP710 User Guide
"Appendix C - Trusted
Certificates".
703
Advertisement
Table of Contents
