Strencom

Cloud & Connectivity | Unified Comms | Virtual Data Centre | MPLS

Lync Phone Edition (LPE) TLS Failure with 3rd Party Public Certificates

Leave a comment

 

I identified an issue today, at a site externally provisioned (EdgePool) Polycom CX600, CX700 and CX3000. Most running .4044 or .4100. (I was subsequently able to identify a site with what appears to be the same issue where the LPE devices registered against a standard Edition Lync 2010 Server and a Dialogic SBA. All the registrars had 3rd party public certificates (GlobalSign).The phones were failing to sign-in, Logger and Snooper reveled a TLS error:

TL_ERROR(TF_CONNECTION) [1]06D8.0EF8::01/30/2014-10:52:11.726.007895ff (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_recordLogType: connectionSeverity: errorText: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?Local-IP: 77.xxx.xxx.xx:443Peer-IP: 77.xxx,xx,xx:49175Connection-ID: 0x212600Transport: TLS$$end_record

A network trace reveled the edge server sending an RST, following the client and server TLS Hello.

With a certificate from an internal private CA present on the front-end pool / standard edition server / SBA, ensuring a SAN was present in the certificate for strict DNS compliance, the LPE devices were able to successfully authenticate. We were able to update the device to .4100 and then to .4420 (January 2013). Once updated the externally provisioned devices were able to authenticate via the edge pool with the 3rd party public CA.

UPDATE

A contact at Microsoft advised that earlier version of the LPE firmware had the GlobalSign Root CA certificate:

Thumbprint:  2F173F7DE99667AFA57AF80AA2D1B12FAC830338
Serial:  020000000000d678b79405

embedded, this certificate expired 2014-01-28 12:00:00 UTC. It would appear that after this certificates that chained to the GlobalSign Root were not constructing the chain to the newer valid root.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s