StringsStringsStrings
AESGCMDHE, EDHkRSA, RSA
SUITEB128, SUITEB128ONLY,
SUITEB192
SHA1, SHA3DES
SHA256, SHA384MD5
Enable Hostname Verification for SIP over TLS
You can enable increased phone security on a phone line if you use TLS. The phone line can verify the
hostname to determine if the connection is secure.
Over a TLS connection, the phone can verify the hostname to check the server identity. The phone can check
both the Subject Alternative Name (SAN) and the Subject Common Name (CN). If the hostname on the valid
certificate matches the hostname that is used to communicate with the server, the TLS connection establishes.
Otherwise, the TLS connection fails.
The phone always verifies the hostname for the following applications:
• LDAPS
• XMPP
• Image upgrade over HTTPS
• XSI over HTTPS
• File download over HTTPS
• TR-069
When a phone line transports SIP messages over TLS, you can configure the line to enable or bypass the
hostname verification with the TLS Name Validate field on the Ext(n) tab.
Before you begin
• Access the phone administration web page. See Access the Phone Web Interface, on page 104.
• On the Ext(n) tab, set SIP Transport to TLS.
Procedure
Step 1 Go to Voice > Ext(n).
Step 2 In the Proxy and Registration section, set the TLS Name Validate field to Yes to enable the hostname
verification, or No to bypass the hostname verification.
You can also configure this parameter in the configuration file (cfg.xml) by entering a string in this format:
<TLS_Name_Validate_1_ ua="na">Yes</TLS_Name_Validate_1_>
The allowed values are Yes|No. The default setting is Yes.
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
131
Cisco IP Phone Configuration
Enable Hostname Verification for SIP over TLS