Step 9
Click Submit All Changes.
Step 10
Observe the syslog trace that the phone sends.
The syslog message should indicate that the resync obtained the profile from the HTTPS server.
Step 11
(Optional) Use an Ethernet protocol analyzer on the phone subnet to verify that the packets are encrypted.
In this exercise, client certificate verification was not enabled. The connection between the phone and server
is encrypted. However, the transfer is not secure because any client can connect to the server and request the
file, given knowledge of the file name and directory location. For secure resync, the server must also authenticate
the client, as demonstrated in the exercise described in HTTPS with Client Certificate Authentication, on
page 53.
HTTPS with Client Certificate Authentication
In the factory default configuration, the server does not request an SSL client certificate from a client. Transfer
of the profile is not secure because any client can connect to the server and request the profile. You can edit
the configuration to enable client authentication; the server requires a client certificate to authenticate the
phone before it accepts a connection request.
Because of this requirement, the resync operation cannot be independently tested by using a browser that
lacks the proper credentials. The SSL key exchange within the HTTPS connection between the test phone
and the server can be observed with the ssldump utility. The utility trace shows the interaction between client
and server.
Related Topics
Secure HTTPS Resync, on page 51
Exercise: HTTPS with Client Certificate Authentication
Procedure
Step 1
Enable client certificate authentication on the HTTPS server.
Step 2
In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient require
Also, ensure that the spacroot.cert has been stored as shown in the Basic HTTPS Resync, on page 51 exercise.
Step 3
Restart the HTTPS server and observe the syslog trace from the phone.
Each resync to the server now performs symmetric authentication, so that both the server certificate and the
client certificate are verified before the profile is transferred.
Step 4
Use ssldump to capture a resync connection between the phone and the HTTPS server.
If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric
exchange of certificates (first server-to-client, then client-to-server) before the encrypted packets that contain
the profile.
Cisco IP Phone 6800 Series Multiplatform Phones Provisioning Guide
53
Provisioning Examples
HTTPS with Client Certificate Authentication
To Next Page
Loading...
Need help?
General
