Provisioning Issues Sangoma

[ZIain]

Hi,

I probably won't be using Sangoma phones moving forward but have a customer moving from FreePBX and need to re-use existing handsets.

I am currently trying to provision some S505 handsets, but having 2 problems and not sure where the issue lies.

1. The first issue is I can only use HTTP and not HTTPS to provision, while testing this I am only using CIDR and not http auth. The handset appears to find the server, read the cert ok, but when it tries to download the xml file it logs a "Received FATAL alert 40" error, which I understand to be an SSL handshake failure, which seems odd as the previous log entry states it is using TLS 1.2.

2. The second issue is that the config for the keys in the device page in FusionPBX doesn't seem to be getting applied to the actual config xml. I have added a second line to the device i'm trying to provision, and configured 2 additional keys, 1 as the second line key, and 1 as a BLF key. When I reboot the handset both lines register fine, but only key 1 is populated. I have downloaded the config xml manually and browsed to the key section, and can confirm that the 1st key is configured as line 1, but the other key sections are the default values.

Please advise if you can.

Thanks.

 

[ZIain]

Hi,

I probably won't be using Sangoma phones moving forward but have a customer moving from FreePBX and need to re-use existing handsets.

I am currently trying to provision some S505 handsets, but having 2 problems and not sure where the issue lies.

1. The first issue is I can only use HTTP and not HTTPS to provision, while testing this I am only using CIDR and not http auth. The handset appears to find the server, read the cert ok, but when it tries to download the xml file it logs a "Received FATAL alert 40" error, which I understand to be an SSL handshake failure, which seems odd as the previous log entry states it is using TLS 1.2.

2. The second issue is that the config for the keys in the device page in FusionPBX doesn't seem to be getting applied to the actual config xml. I have added a second line to the device i'm trying to provision, and configured 2 additional keys, 1 as the second line key, and 1 as a BLF key. When I reboot the handset both lines register fine, but only key 1 is populated. I have downloaded the config xml manually and browsed to the key section, and can confirm that the 1st key is configured as line 1, but the other key sections are the default values.

Please advise if you can.

Thanks.

As an update, i've tried the same as above with a Yealink T28P. The first issue is the same, however the second issue is not an issue with the Yealink.

In addition, the first line key being configured is actually down to that being hard set in the template for the Sangoma.

 

[ZIain]

Update:

I've managed to get the provisioning template sorted for the Sangome S505. I know FusionPBX doesn't come with Sangoma templates, I downloaded from DigitalDaz's (I think) git repository, but they didn't have details for the various variables for the line keys, I added the right ones and now my S505 template works fine.. I am happy to share the template back if anyone needs it.

As for the issue with it not working with HTTPS, this is still an issue and I haven't been able to make any progress, so any pointers would be appreciated.

Thanks

 

[krooney]

Update:

I've managed to get the provisioning template sorted for the Sangome S505. I know FusionPBX doesn't come with Sangoma templates, I downloaded from DigitalDaz's (I think) git repository, but they didn't have details for the various variables for the line keys, I added the right ones and now my S505 template works fine.. I am happy to share the template back if anyone needs it.

As for the issue with it not working with HTTPS, this is still an issue and I haven't been able to make any progress, so any pointers would be appreciated.

Thanks

did you figure this out?

 

[Willott]

Although I'm using a different PBX, thought what I'd found may be of use. The S500's I have show this in log:

SUPPORT TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA

On checking, the webserver on my PBX doesn't have this cipher suite included, most likely around the ROBOT vulnerability. Depending on what access to the PBX there is and how well you can secure it (firewall, internal only etc), you could potentially allow one of these cipher suites. I have also asked of Sangoma when they're releasing a firmware including DHE or ECDHE ciphers (which aren't linked to the same vulnerability) - as HTEK and Yealink are both supported by the PBX I have, and they're linked in terms of the underlying hardware, I would think that the firmware should be capable of handling this.

If you did want to add the cipher to the web server as a work around, you'll need the OpenSSL equivalent of one of the above ciphers, and insert it into the relevant cipher line of the web server config (I'm being slightly vague so that 1) you only look to do this if you fully understand the impact and 2) I'm not using FusionPBX so can't provide direct instructions)