SSL errors (secure provisioning issues)

Document

Thu, 05/08/2014 - 04:48
May 8th, 2014
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Small Business

Provisioning or XML address book may be configured to use SSL (HTTPS) connection. Such secure connection may fail for some reason. For the purpose of debugging, you need to turn on debug messages, level 3 or more. Debug messages will look like the following:

local3.debug | [create_tcp_netstrm1] use async to create tcp connection
local3.debug | connect succeed   
local3.debug | [create_tcp_netstrm1] connect SUCCEED
local3.debug | ssl cert err 20   
local3.debug | create ssl connection failed

The "ssl cert err N" show the SSL error and reveal the cause for failed SSL connection.

The following table summarise possible N values, their names and (in some cases) a description of it. The list of possible error and their names has been taken from OpenSSL sources (x509_vfy.h). Descriptions are mine.

NNameDescription
0X509_V_OK 
2X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 
3X509_V_ERR_UNABLE_TO_GET_CRL 
4X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 
5X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 
6X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 
7X509_V_ERR_CERT_SIGNATURE_FAILUREmostly because of unsupported certificate hash alghoritm. Use SHA1 or MD5 only
8X509_V_ERR_CRL_SIGNATURE_FAILURE 
9X509_V_ERR_CERT_NOT_YET_VALIDcertificate not valid yet - check time on phone
10X509_V_ERR_CERT_HAS_EXPIREDcertificate expired - check time on phone
11X509_V_ERR_CRL_NOT_YET_VALID 
12X509_V_ERR_CRL_HAS_EXPIRED 
13X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 
14X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 
15X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 
16X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 
17X509_V_ERR_OUT_OF_MEM 
18X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 
19X509_V_ERR_SELF_SIGNED_CERT_IN_CHAINself signed certificate not recognized as trusted
20X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLYchain root certificate not recognized as trusted or intermediate certificate not supplied by SSL server
21X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 
22X509_V_ERR_CERT_CHAIN_TOO_LONG 
23X509_V_ERR_CERT_REVOKED 
24X509_V_ERR_INVALID_CA 
25X509_V_ERR_PATH_LENGTH_EXCEEDED 
26X509_V_ERR_INVALID_PURPOSE 
27X509_V_ERR_CERT_UNTRUSTED 
28X509_V_ERR_CERT_REJECTED 
29X509_V_ERR_SUBJECT_ISSUER_MISMATCH 
30X509_V_ERR_AKID_SKID_MISMATCH 
31X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 
32X509_V_ERR_KEYUSAGE_NO_CERTSIGN 
33X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 
34X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 
35X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 
36X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 
37X509_V_ERR_INVALID_NON_CA 
38X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 
39X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 
40X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 
41X509_V_ERR_INVALID_EXTENSION 
42X509_V_ERR_INVALID_POLICY_EXTENSION 
43X509_V_ERR_NO_EXPLICIT_POLICY 
44X509_V_ERR_DIFFERENT_CRL_SCOPE 
45X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 
46X509_V_ERR_UNNESTED_RESOURCE 
47X509_V_ERR_PERMITTED_VIOLATION 
48X509_V_ERR_EXCLUDED_VIOLATION 
49X509_V_ERR_SUBTREE_MINMAX 
50X509_V_ERR_APPLICATION_VERIFICATION 
51X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 
52X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 
53X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 
54X509_V_ERR_CRL_PATH_VALIDATION_ERROR 

 

Notes:

  1. Certificate used by SSL connection needs to be issued by an authority preconfigured in phone by Cisco (see SPA Certificate Authority (CA) List for more information). With firmware >=7.5.1 a certificate authority configured via "Custom CA Rule" option can be used as well (see Administrator's guide for more informations).
  2. SPA[35]xx accepts certificates even they are expired or not valid yet. SPA[12]xx ATA devices with firmware < 1.3.2 ignore verification result at all, any certificate is considered valid.

 

Loading.

Actions

This Document