Polycom 331 not remembering custom CA certificate

KG4ZOW · ‎06-23-2012

I'm trying to get a Polycom 331 working with an Asterisk server, using TLS and SRTP. The phone has BootROM 4.3.1.0440 and SIP 3.2.6.0314, and is configured to send syslogs to a local server. The Asterisk server has an SSL certificate issued by CACert, and I'm trying to get the CACert root CA certificate loaded into the phone so that it will "trust" the server's certificate.

I have tried three times now to load the certificate into the phone using the menus, but if I'm reading the log messages correctly, the phone isn't actually storing the certificate. Since the first time the phone rebooted after I loaded the certificate, it logs the fingerprint of the cert it has stored in the flash, and it keeps changing:

# grep -i '192.168.169.203.*fingerprint' /var/log/messages
Jun 23 12:51:53 192.168.169.203 192.168.169.203 0623125153|so   |4|00|New fingerprint F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42
Jun 23 16:23:56 192.168.169.203 192.168.169.203 000021.640|so   |4|00|Custom certificate MD5 fingerprint: BB:E2:B2:19:7C:52:0A:01:87:BF:E9:5E:66:59:78:33
Jun 23 16:54:07 192.168.169.203 192.168.169.203 000021.576|so   |4|00|Custom certificate MD5 fingerprint: 7B:DF:04:06:F6:EB:03:C0:A5:00:0C:60:AF:C6:51:D5
Jun 23 16:56:09 192.168.169.203 192.168.169.203 000020.348|so   |4|00|Custom certificate MD5 fingerprint: A9:2C:49:75:18:79:5C:60:9E:C9:1C:4D:2C:82:6E:00
Jun 23 17:00:09 192.168.169.203 192.168.169.203 000021.584|so   |4|00|Custom certificate MD5 fingerprint: 74:13:98:0F:F3:4D:BF:58:39:B3:25:1B:36:82:8F:AF
Jun 23 17:21:58 192.168.169.203 192.168.169.203 000021.594|so   |4|00|Custom certificate MD5 fingerprint: 3B:DC:5D:2C:3D:53:80:37:21:48:D2:87:78:89:54:06
Jun 23 19:16:26 192.168.169.203 192.168.169.203 000021.616|so   |4|00|Custom certificate MD5 fingerprint: 29:2B:3E:1F:C5:FC:DC:97:9C:0D:30:21:08:9A:A9:69
Jun 23 19:32:02 192.168.169.203 192.168.169.203 000021.604|so   |4|00|Custom certificate MD5 fingerprint: 9B:1C:63:48:2C:B7:97:DA:49:44:20:8A:40:07:A4:4C
Jun 23 15:43:27 192.168.169.203 192.168.169.203 0623154327|so   |4|704|New fingerprint F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42
Jun 23 15:43:27 192.168.169.203 192.168.169.203 0623154327|so   |4|704|Old fingerprint 51:FB:31:91:57:5A:4E:21:EC:41:98:D2:C7:4E:BB:FB
Jun 23 19:40:17 192.168.169.203 192.168.169.203 000021.252|so   |4|00|Custom certificate MD5 fingerprint: 20:DC:CE:1D:64:B2:A6:0F:07:52:27:3F:60:4B:B4:C4
Jun 23 15:52:46 192.168.169.203 192.168.169.203 0623155246|so   |4|696|New fingerprint F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42
Jun 23 15:52:46 192.168.169.203 192.168.169.203 0623155246|so   |4|696|Old fingerprint D8:2C:0A:7B:AC:A0:01:98:70:CF:6F:25:91:14:EF:A8
Jun 23 19:46:24 192.168.169.203 192.168.169.203 000021.642|so   |4|00|Custom certificate MD5 fingerprint: 8B:2F:47:87:91:58:BF:A5:ED:17:82:55:2D:BF:F1:C8
Jun 23 19:55:21 192.168.169.203 192.168.169.203 000021.616|so   |4|00|Custom certificate MD5 fingerprint: 16:EF:AD:34:BA:B6:19:E0:59:08:75:DF:C6:87:01:F0
Jun 23 20:26:14 192.168.169.203 192.168.169.203 000021.258|so   |4|00|Custom certificate MD5 fingerprint: 60:28:E0:0C:C5:66:B6:24:F2:68:54:D7:FF:31:DE:13
Jun 23 20:28:08 192.168.169.203 192.168.169.203 000021.620|so   |4|00|Custom certificate MD5 fingerprint: C9:8B:9E:AF:C5:51:4C:C5:DA:12:15:1C:D6:47:98:4A
Jun 23 20:44:54 192.168.169.203 192.168.169.203 000021.586|so   |4|00|Custom certificate MD5 fingerprint: 78:92:03:0A:6C:56:7D:A4:C2:B1:64:BD:F4:8B:FB:B9

It's acting like the flash chip where it would store the certificate is bad... it seems to have set a flag which says "custom certificate exists", but every time the phone reboots it seems to be finding a totally different certificate (and of course it can't verify the server's certificate because of this.)

Has anybody seen this before, and if not, is there a fix other than replacing the phone? I bought the phone used from ebay about a year ago and have been using it as a normal (i.e. non-encrypted) phone without any issues since then.