TLSSRVRID

Numeric

1

Specifies during certificate validation whether to perform identity matching of the address used to connect to the server and the presented server identity certificate Subject Alternate Name (SAN) or server identity certificate Common Name (CN) field, according to Section 3.1 of RFC 2818. Valid values:

• 0: Identity matching is not performed
• 1: Identity matching is performed (default)

BLOCK_CERTIFICATE_WILDCARDS

Numeric

0

Specifies whether the phone will accept server identity certificates with wildcards presented in the Subject Alternate Name entry of type DNS or Common Name (CN) field.

FQDN_IP_MAP

String

Null

Specifies a comma separated list of name/value pairs where the name is an FQDN and the value is an IP address. The IP address may be IPv6 or IPv4 but the value can only contain one IP address. Default is "". String length is up to 255 characters. No spaces are allowed inside the string.

The purpose of this parameter is to support cases where the phone connected to the server using an IP address however the server identity certificate Subject Alternate Name entry or Common Name (CN) entry is an FQDN. This parameter only applies to SIP and HTTPS connections.

This parameter cannot be used as an alternative to a DNS lookup or reverse DNS lookup.

The reverse case will not be supported. If the phone is accessing a server using an FQDN and the server's certificate only contains an IP address, this will be considered an identity verification failure and the FQDN_IP_MAP will not be used.

ENABLE_RFC5922

Numeric

1

Specifies whether SIP domain is verified according to RFC 5922 as a part of certificate hostname validation. ENABLE_RFC5922 applies for SIP server connections when the TLSSRVRID value is 1. Valid values:

• 0: SIP domain verification according to RFC 5922 disabled.
• 1 SIP domain verification per RFC 5922 enabled (default). The configured SIP Domain must be found in the Subject Alternative Name (SAN) field as a SIP URI according to RFC 5922. If there are no SAN entries of any kind, a match of the SIP Domain in the CN is permitted.

KEYUSAGE_REQUIRED

Numeric

1

Specifies whether a presented server identity certificate must include Key Usage or Extended Key Usage extensions. Valid values:

• 0: Not required but must be valid if included (default)

• 1: Must be included and be valid

SERVER_CERT_RECHECK_HOURS

Numeric

24

Specifies the interval in hours at which an established TLS connection’s server identity certificate is checked. If the server certificate is found to be expired or revoked the TLS connection will be closed.

Additionally, if OCSP is enabled the phone will recheck the revocation status of the server identity certificate that was used to establish the TLS connection.

Valid values are from 0 to 32767.

Default value 24.

A value of 0 disables this check.