Provisioning Examples
Secure HTTPS Resync
Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters 56
4
HTTPS With Client Certificate Authentication
In the factory default configuration, the server does not request a SSL client
certificate from a client. Transfer of the profile is not secure because any client can
connect to the server and request the profile. You can edit the configuration to
enable client authentication; the server requires a client certificate to authenticate
the ATA before accepting a connection request.
Because of this, the resync operation cannot be independently tested by using a
browser lacking the proper credentials. The SSL key exchange within the HTTPS
connection between the test ATA and the server can be observed using the
ssldump utility. The utility trace shows the interaction between client and server.
NOTE Both basic and digest authentication are supported on SPA500 Series phones
running firmware version 7.4.9c and higher.
Exercise
STEP 1 Enable client certificate authentication on the HTTPS server.
STEP 2 In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient require
Also ensure that the spacroot.cert has been stored as shown in the Basic HTTPS
Resync exercise.
STEP 3 Restart the HTTPS server and observe the syslog trace from the ATA.
Each resync to the server now performs symmetric authentication, so that both the
server certificate and the client certificate are verified before the profile is
transferred.
STEP 4 Use ssldump to capture a resync connection between the ATA and the HTTPS
server.
If client certificate verification is properly enabled on the server, the ssldump trace
shows the symmetric exchange of certificates (first server-to-client, then client-to-
server) before the encrypted packets containing the profile.
With client authentication enabled, only a ATA with a MAC address matching a
valid client certificate can request the profile from the provisioning server. A
request from an ordinary browser or other unauthorized device is rejected by the
server.
To Next Page
Loading...
Need help?
General
