Server certificate validation
When the client initiates a connection to the server, the server presents its server identity certificate to the client. The client validates the presented server identity certificate.
The phone performs the following validations of the server identity certificate:
-
The certificate chain up to the Trusted Server Certificate Authority. The presented server identity certificate must be signed by a Certificate Authority which is found in the phones trust store.
-
Certificate name validation
-
If the phone uses an FQDN address to connect to the server, the phone must match the FQDN to the server identity certificate Subject Alternate Name (SAN) entry of the type DNS entry, else the phone must match the FQDN to the server identity certificate Common Name (CN) field.
-
If the phone uses an IP address to connect to the server, the phone must match the IP address to the server identity certificate Subject Alternate Name (SAN) field of type IP Address, else the phone must match the IP address to the server identity certificate Common Name (CN) field.
-
-
If a SIP connection, the configured SIPDOMAIN must be found in the Subject Alternative Name (SAN) field as a SIP URI according to RFC 5922.
-
Key Usage or Extended Key Usage extensions is validated only if present in the certificate.
-
To optionally force validation, set the KEYUSAGE_REQUIRED parameter.
-
-
Validity date not-before and not-after must be within the phones current date. Additionally at a defined interval the phone will also perform this validation of already established TLS connections.
-
Optionally, the phone checks the revocation status through Online Certificate Status Protocol (OCSP). The phone supports OCSP to periodically check for certificate revocation for established TLS connections.
If any of these validations fail, the phone rejects and closes the connection to the server.
|
Parameter name
|
Type
|
Default value
|
Description
|
|---|---|---|---|
|
TLSSRVRID
|
Numeric
|
1
|
Specifies during certificate validation whether to perform identity matching of the address used to connect to the server and the presented server identity certificate Subject Alternate Name (SAN) or server identity certificate Common Name (CN) field, according to Section 3.1 of RFC 2818. Valid values:
|
|
BLOCK_CERTIFICATE_WILDCARDS
|
Numeric
|
0
|
Specifies whether the phone will accept server identity certificates with wildcards presented in the Subject Alternate Name entry of type DNS or Common Name (CN) field.
|
|
FQDN_IP_MAP
|
String
|
Null
|
Specifies a comma separated list of name/value pairs where the name is an FQDN and the value is an IP address. The IP address may be IPv6 or IPv4 but the value can only contain one IP address. Default is "". String length is up to 255 characters. No spaces are allowed inside the string.
The purpose of this parameter is to support cases where the phone connected to the server using an IP address however the server identity certificate Subject Alternate Name entry or Common Name (CN) entry is an FQDN. This parameter only applies to SIP and HTTPS connections.
This parameter cannot be used as an alternative to a DNS lookup or reverse DNS lookup.
The reverse case will not be supported. If the phone is accessing a server using an FQDN and the server's certificate only contains an IP address, this will be considered an identity verification failure and the FQDN_IP_MAP will not be used.
|
|
ENABLE_RFC5922
|
Numeric
|
1
|
Specifies whether SIP domain is verified according to RFC 5922 as a part of certificate hostname validation. ENABLE_RFC5922 applies for SIP server connections when the TLSSRVRID value is 1. Valid values:
|
|
KEYUSAGE_REQUIRED
|
Numeric
|
1
|
Specifies whether a presented server identity certificate must include Key Usage or Extended Key Usage extensions. Valid values:
|
|
SERVER_CERT_RECHECK_HOURS
|
Numeric
|
24
|
Specifies the interval in hours at which an established TLS connection’s server identity certificate is checked. If the server certificate is found to be expired or revoked the TLS connection will be closed.
Additionally, if OCSP is enabled the phone will recheck the revocation status of the server identity certificate that was used to establish the TLS connection.
Valid values are from 0 to 32767.
Default value 24.
A value of 0 disables this check.
|