Siemens V1.2.33 manual Use of TLS by an IP Phone, Operating the XML Management Interface over TLS

Deployment Tool with TLS

Use of TLS by an IP Phone

An IP Phone contains both a TLS server and a TLS client. The TLS server is used with the phone's webserver and the phone's XML management in- terface. The TLS client is used with the phone's telephony client. (The PC's telephony server contains a TLS server, while the PC's web client and XML management client are TLS clients). As discussed above, a TLS server re- quires its own key material (private key and public key certificate chain). A TLS client does not require certificates, if server authentication is not re- quired.

Key material is hard-coded into the phone software to allow the phone's TLS server to work by default. The default key material has a two certificate chain consisting of the end-entity certificate and a self-signed CA certifi- cate. Since the certificate chain is transported to the client during the TLS handshake, the client can decide to trust the self-signed certificate, and store it locally for subsequent authentication of other phones, if the client software permits. Key material does not normally include the trusted cer- tificate: the phone's default key material does, as a means of distributing it.

By default, the phone's TLS client is configured not to perform server au- thentication, and has no default trusted certificate.

For improved security, the user can transfer their own server key material and client trusted certificates to the phone, using the XML management interface. The phone will use the new key material and trusted certificates, in preference to the defaults. If the user supplies client trusted certificates, the phone's TLS client will perform server authentication, which must be successful to establish a TLS connection.

The key material is transferred in a single file, containing a private key and matching public key certificate chain. The trusted certificates are trans- ferred in a separate, single file, as an aggregate, not a chain. The phone supports only one server key material file and one client trusted certifi- cates file. The XML management interface allows the user to read back the files, and delete them from the phone. The files are transferred over XML in unencrypted PKCS#12 format.

Instructions for using the Deployment Tool with TLS

The Deployment Tool is a PC application for configuring batches of IP Phones using the XML management interface.

Operating the XML Management Interface over TLS

The Deployment Tool is a TLS client, and authenticates the identity of the TLS servers on the phones it configures. For this, it requires a subject DN and a trusted CA certificate to validate the certificate chains received from the phones during the TLS handshake. Once this is specified, no further action is required to configure either TLS or non-TLS phones. The Tool it- self determines whether or not to use TLS from the type of phone being configured.

85