Https With Client Certificate Authentication; Exercise: Https With Client Certificate Authentication - Cisco 6800 Series Provisioning Manual
Multiplatform phones
Hide thumbs
Also See for 6800 Series:
- Administration manual (358 pages) ,
- User manual (222 pages) ,
- Hardware installation (20 pages)
Table of Contents
Advertisement
Provisioning Examples
Step 9
Click Submit All Changes.
Step 10 Observe the syslog trace that the phone sends.
The syslog message should indicate that the resync obtained the profile from the HTTPS server.
Step 11 (Optional) Use an Ethernet protocol analyzer on the phone subnet to verify that the packets are encrypted.
In this exercise, client certificate verification was not enabled. The connection between the phone and server
is encrypted. However, the transfer is not secure because any client can connect to the server and request the
file, given knowledge of the file name and directory location. For secure resync, the server must also authenticate
the client, as demonstrated in the exercise described in
page
HTTPS with Client Certificate Authentication
In the factory default configuration, the server does not request an SSL client certificate from a client. Transfer
of the profile is not secure because any client can connect to the server and request the profile. You can edit
the configuration to enable client authentication; the server requires a client certificate to authenticate the
phone before it accepts a connection request.
Because of this requirement, the resync operation cannot be independently tested by using a browser that
lacks the proper credentials. The SSL key exchange within the HTTPS connection between the test phone
and the server can be observed with the ssldump utility. The utility trace shows the interaction between client
and server.
Related Topics
Secure HTTPS Resync, on page 51
Exercise: HTTPS with Client Certificate Authentication
Procedure
Step 1
Enable client certificate authentication on the HTTPS server.
Step 2
In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient
Also, ensure that the spacroot.cert has been stored as shown in the
Step 3
Restart the HTTPS server and observe the syslog trace from the phone.
Each resync to the server now performs symmetric authentication, so that both the server certificate and the
client certificate are verified before the profile is transferred.
Step 4
Use ssldump to capture a resync connection between the phone and the HTTPS server.
If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric
exchange of certificates (first server-to-client, then client-to-server) before the encrypted packets that contain
the profile.
53.
require
HTTPS with Client Certificate Authentication
HTTPS with Client Certificate Authentication, on
Basic HTTPS Resync, on page 51
Cisco IP Phone 6800 Series Multiplatform Phones Provisioning Guide
exercise.
53
Advertisement
Table of Contents
