[asterisk-users] CA Issued Certificates / TLS + SRTP
Daniel Pocock
daniel at readytechnology.co.uk
Wed Feb 1 06:06:08 CST 2012
On 01/02/12 10:58, Stuart Elvish wrote:
> Thanks for the clarification. I have looked at Polycom's website and
> saw which phones have the latest firmware (or at least a firmware that
> supports TLS) available.
>
> Didn't get around to the testing with the chained certificate but will
> try again this evening.
>
>
One thing that frustrates people about Polycom is the very limited list
of root CAs they support - it was probably OK when they first started
doing SSL, but things have changed a lot now
The latest phones (e.g. IP321) have more memory than those they replace
(e.g. IP320) and so they should be able to handle a larger list of built
in root CAs (which Polycom can distribute through the firmware update).
The obvious ones that are missing are the budget CAs:
- CaCert.org (all certs are free)
- startssl.com (which has some free certs)
- GoDaddy
These budget CAs are now supported by the various Linux distributions
and Android phones, so they are clearly above a certain threshold of
stability
Polycom phones should also be able to handle 4096 bit certs with the
extra memory, but that appears to need remediation in the firmware (I
tried installing a custom 4096 bit cert and it didn't accept it)
If anyone is registered with Polycom as a reseller, they can quote these
issue numbers:
EXT-3192 GoDaddy root CA cert
https://jira.polycom.com:8443/browse/EXT-3192
EXT-3193 CACert root CA cert
https://jira.polycom.com:8443/browse/EXT-3193
EXT-3238 Support for 4096 bit keys
https://jira.polycom.com:8443/browse/EXT-3238
As in most commercial enterprises, the more customers who request fixes
on these issues, the higher it will go on their priority list
More information about the asterisk-users
mailing list