Enable Hostname Verification For Sip Over Tls - Cisco 8800 Series Manual

Cisco IP Phone Configuration
Strings
kRSA, RSA
3DES
MD5

Enable Hostname Verification for SIP over TLS

You can enable increased phone security on a phone line if you use TLS. The phone line can verify the
hostname to determine if the connection is secure.
Over a TLS connection, the phone can verify the hostname to check the server identity. The phone can check
both the Subject Alternative Name (SAN) and the Subject Common Name (CN). If the hostname on the valid
certificate matches the hostname that is used to communicate with the server, the TLS connection establishes.
Otherwise, the TLS connection fails.
The phone always verifies the hostname for the following applications:
• LDAPS
• XMPP
• Image upgrade over HTTPS
• XSI over HTTPS
• File download over HTTPS
• TR-069
When a phone line transports SIP messages over TLS, you can configure the line to enable or bypass the
hostname verification with the TLS Name Validate field on the Ext(n) tab.
Before you begin
• Access the phone administration web page. See
• On the Ext(n) tab, set SIP Transport to TLS.
Procedure
Step 1
Go to Voice > Ext(n).
Step 2 In the Proxy and Registration section, set the TLS Name Validate field to Yes to enable the hostname
verification, or No to bypass the hostname verification.
You can also configure this parameter in the configuration file (cfg.xml) by entering a string in this format:
<TLS_Name_Validate_1_ ua="na">Yes</TLS_Name_Validate_1_>
The allowed values are Yes|No. The default setting is Yes.
Strings
DHE, EDH
SHA1, SHA
SHA256, SHA384
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
Enable Hostname Verification for SIP over TLS
Strings
AESGCM
SUITEB128, SUITEB128ONLY,
SUITEB192
Access the Phone Web Interface, on page 104.
131