Cisco IP Phone Provisioning
SSLVerifyClient
Also, ensure that the spacroot.cert has been stored as shown in the
Step 3
Restart the HTTPS server and observe the syslog trace from the phone.
Each resync to the server now performs symmetric authentication, so that both the server certificate and the
client certificate are verified before the profile is transferred.
Step 4
Use ssldump to capture a resync connection between the phone and the HTTPS server.
If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric
exchange of certificates (first server-to-client, then client-to-server) before the encrypted packets that contain
the profile.
With client authentication enabled, only a phone with a MAC address that matches a valid client certificate
can request the profile from the provisioning server. The server rejects a request from an ordinary browser or
other unauthorized device.
Configure a HTTPS Server for Client Filtering and Dynamic Content
If the HTTPS server is configured to require a client certificate, the information in the certificate identifies
the resyncing phone and supplies it with the correct configuration information.
The HTTPS server makes the certificate information available to CGI scripts (or compiled CGI programs)
that are invoked as part of the resync request. For the purpose of illustration, this exercise uses the open source
Perl scripting language, and assumes that Apache (v.2) is used as the HTTPS server.
Procedure
Step 1
Install Perl on the host that is running the HTTPS server.
Step 2
Generate the following Perl reflector script:
#!/usr/bin/perl -wT
use strict;
print "Content-Type: text/plain\n\n";
print "<flat-profile><GPP_D>";
print "OU=$ENV{'SSL_CLIENT_I_DN_OU'},\n";
print "L=$ENV{'SSL_CLIENT_I_DN_L'},\n";
print "S=$ENV{'SSL_CLIENT_I_DN_S'}\n";
print "</GPP_D></flat-profile>";
Step 3
Save this file with the file name reflect.pl, with executable permission (chmod 755 on Linux), in the
CGI scripts directory of the HTTPS server.
Step 4
Verify accessibility of CGI scripts on the server (that is, /cgi-bin/...).
Step 5
Modify the Profile_Rule on the test device to resync to the reflector script, as in the following example:
https://prov.server.com/cgi-bin/reflect.pl?
require
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
Configure a HTTPS Server for Client Filtering and Dynamic Content
Basic HTTPS Resync, on page 56
exercise.
59