[asterisk-users] CA Issued Certificates / TLS + SRTP

Daniel Pocock daniel at readytechnology.co.uk
Wed Feb 1 06:06:08 CST 2012



On 01/02/12 10:58, Stuart Elvish wrote:
> Thanks for the clarification. I have looked at Polycom's website and
> saw which phones have the latest firmware (or at least a firmware that
> supports TLS) available.
> 
> Didn't get around to the testing with the chained certificate but will
> try again this evening.
> 
> 

One thing that frustrates people about Polycom is the very limited list
of root CAs they support - it was probably OK when they first started
doing SSL, but things have changed a lot now

The latest phones (e.g. IP321) have more memory than those they replace
(e.g. IP320) and so they should be able to handle a larger list of built
in root CAs (which Polycom can distribute through the firmware update).
 The obvious ones that are missing are the budget CAs:

- CaCert.org (all certs are free)
- startssl.com  (which has some free certs)
- GoDaddy

These budget CAs are now supported by the various Linux distributions
and Android phones, so they are clearly above a certain threshold of
stability

Polycom phones should also be able to handle 4096 bit certs with the
extra memory, but that appears to need remediation in the firmware (I
tried installing a custom 4096 bit cert and it didn't accept it)

If anyone is registered with Polycom as a reseller, they can quote these
issue numbers:

EXT-3192 GoDaddy root CA cert
https://jira.polycom.com:8443/browse/EXT-3192

EXT-3193 CACert root CA cert
https://jira.polycom.com:8443/browse/EXT-3193

EXT-3238 Support for 4096 bit keys
https://jira.polycom.com:8443/browse/EXT-3238

As in most commercial enterprises, the more customers who request fixes
on these issues, the higher it will go on their priority list



More information about the asterisk-users mailing list