• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
Locked

‎02-10-2014 04:27 AM

HP Recommended

Hi,

 

When booting a IP321 version 3.2.2.0477 over https I receve the following error after the TLS handshake:

 

Alert (Level: Fatal, Description: Decrypt  Error)

 

This only appears to happen from polycom phones, other devices/software do not exibit the issue.

 

After having a problem with a globalsign root certficiate expiring, I spent some time collating the "authrorised certificate authoritys lists" from all the admin guides. I decided the safest bet for all versions would be the still valid " Verisign Class 3 Public Primary Certification Authority" which I have since got a new certifiacate signed by.

 

Packet flow:

 

Client hello -> Server

Sever Hello <- Server

Certificate, Server Hello done <- Server

 

Client -> Server - Small amount of date from client to server (https)

Client -> Server Alert (Level: Fatal, Description: Decrypt  Error)

 

There is no mutual authentication and any uploads would be logs and directorys.

 

Two intermidiate certificates are provided for the older phones:

 

VeriSign Class 3 Public Primary Certification Authority - G5
VeriSign Class 3 Secure Server CA - G3

 

G5 shouldn't be needed from around version 4. Secure Server G3 doen't look to be supported yet however should work as an intermidiate.

 

Can anyone please advise/help ?

 

Regards

Matthew

 

 

 

 

 

2 REPLIES 2

‎04-30-2014 04:27 PM

HP Recommended

I currently have this same issue.

Using IP335 using 3.3.1

 

I have other polycom phones using 4..0.3 that work just fine. I also have another SBC that the IP335's do work with. The only difference that I have noticed is that signature on the SBC cert is using sha1RSA on that one that works and the new one I have is sha256RSA.  I'm having the CA reissue the cert using sha1RSA and I will replace them and test.  But it appears the older versions don't support the newer signature algorithm. Check to see if those are different on your new certs.

 

Juston

Was this reply helpful? Yes No

‎01-19-2017 11:31 AM

HP Recommended

 

I realise this thread is from 2014, but I just found it after wasting a lot of time loading a new CA cert into a Polycom 330.

 

Legacy devices do not and will not support the SHA256 certs. You need to continue using your old SHA1 cert until it expires, and then either issue your own self signed SHA1 cert and push your CA cert into the phones as a customCA cert, or disable SSL.

 

Polycom released more information here: http://support.polycom.com/global/documents/support/technical/products/voice/sha1_deprecation_impact...

Was this reply helpful? Yes No
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.

Didn't find what you were looking for? Ask the community

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.