YEALINK NETWORK TECHNOLOGY CO.,LTD.

www.yealink.com

Security Certificates Issue

 Feature mechanism:
1. For the SSL mechanism, please refer to SSL video of phone advanced features.
2. Trace analysis: You can filter ‘ssl’ using wireshark to analyze certificate related issues.

A SSL certificate trace for your reference.

certificate-https.pcap

3. About the Security Certificates features on Yealink Phones, please refer to latest
“Security Certificates” guide on support.yealink.com for reference: （Including related
configurations on Yealink phones）

 Issue Description:
1. Issue1: Need Yealink to assign certificate for customer’s Server
2. Issue2: ‘Only accept Trusted certificates’ option won’t take effect for TR069
3. Issue3: When using HTTPS for XML Browser or Action URI, there is a few seconds delay.
4. Issue4: Certificate failed.

 Resolution: （Checking list）

1. Issue1: Need Yealink to assign certificate for customer’s Server
When customer want to use server certificate to certificate with Yealink Root CA
(default build-in), then Customer may need Yealink to assign certificate for customer’s
server.
Solution: Please kindly provide the .csr format server format and submit to Yealink, then
Yealink will assign for you.
2. Issue2: ‘Only accept Trusted certificates’ option won’t take effect for TR069
When customer are using HTTPS TR069 server, then ‘Only accept Trusted certificates’
can’t disable the certificate on the phone, because it always need certificate as the
TR069 standard define:
1
 YEALINK NETWORK TECHNOLOGY CO.,LTD.
www.yealink.com
https://www.broadband-forum.org/technical/download/TR-069_Amendment-5.pdf

So for this kind of request, please persuade customer

3. Issue3: When using HTTPS for XML Browser or Action URI, there is a few seconds
delay.
a) The delay is caused by the HTTPS certification process. Kindly get the trace
from customer and have basic analysis, e.g.
b) From below trace, we can see the certificate process take about 5 seconds
that cause the delay issue.

c) Let’s go for details:

We can see the certificate from server is using DH algorithm and the length is
256. With 256 DH algorithm, it will take more time for certification.
d) So the solution is:

2
 YEALINK NETWORK TECHNOLOGY CO.,LTD.
www.yealink.com
Kindly convince customer to change the DH length to 128 then test again, it
will take less time for certification.
4. Issue4: Certificate failed.
Certificate failed may led to common issue like: Failed to do the auto provisioning by
HTTPS; Failed to control the phone by action URI HTTPS command; Failed to download
XML browser file from HTTPS server.
Firstly, we have to get the trace from customer to have basic analysis:
a) If there is ‘unknown CA’ error information in the trace, then that mean the
server certificate is not assigned by any CA file in the phone.

Solution: Please kindly let customer to make sure the server certificate are
assigned by one of the CA certificate on the phone.
b) If server certificate is with SHA256, that may makes the certificate failure for
V73 or before version, because only V80 or higher version can support
SHA256.

Solution:
 If your phones are T4X with V73, please upgrade the phones to V80, then
the phones will support SHA256;
 If your phones are old T2X with V73, but old T2X don’t have V80
firmware but we have below solution:
For the phones which only support V73 (can’t support SHA2), below is a

3
 YEALINK NETWORK TECHNOLOGY CO.,LTD.
www.yealink.com
solution to make sure the authentication security between Server and
phones via HTTPS.
a) You can disable option 'Only accept Trusted Certificates' (WEB path:
Security->Trusted certification-> only accept Trusted Certificates),
after you disable it, the phone will trust all the certifications from
server, but the data will still be encrypted by HTTPS. So that means
the data is security, the only problem is that the Phone can't make
sure if the Server is trusted.
b) When 'Only accept trusted certificates' is disabled, that means the
phone can't authenticate the server. But actually, we can ensure the
security through: Server to authenticate the phone, (just change the
certificate direction), your server just need to upload Yealink CA
certification (Please contact Yealink support team) in the CA list of
server side, (In the phone side, already built in Yealink assigned
certification file), in this way, we can realize the server to
authenticate the phones easily.

If above solutions still can’t solve this issue, would you please kindly confirm below information
and submit to Yealink:
 In which scenario customer occurred the HTTPS failure issue?
 What’s the Models and firmware Version customer are using?
 Customer server are using certificate SHA256?
 How many Yealink phones customer have? And how many of them have the issue?
 Any other Models/brand works fine in the same scenario?
 Please kindly provide us Syslog (must be Level6)/ Trace/ config.bin files. (For how to get
these three files, please refer to:
https://support.yealink.com/en/portal/knowledge/show?id=84b84b529641f28b843eb445 )
Note:
Please make sure the trace is with completed ssl message:

4
 YEALINK NETWORK TECHNOLOGY CO.,LTD.
www.yealink.com

Syslog file is in Level6: if it have <6+info> means its Level 6 syslog:

 Will be appreciated if you can provide us the trace from OK phones.

Products:
All

Firmware version:
All