[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

Polycom Employee & Community Manager

[FAQ] How can I setup a TLS connection for SIP signaling and / or troubleshoot this?

The example below is based on Digium Asterisk 1.8. Polycom cannot provide support on Asterisk


Below was tested with a VVX500 running UCS 4.1.3


Source for certificate creation => here <=


NOTE: Please contact your SIP Platform provider or your Polycom reseller for any support queries! Knowledge in Linux and Asterisk is required.


Step 1 Creating a Server Key on the Asterisk server:


  • type cd /etc/asterisk and hit enter
  • type mkdir certificates (we create a new sub directory)
  • type cd certificates and hit enter
  • type openssl genrsa -out key.pem 1024 and hit enter
  • The key.pem is your server key
  • type openssl req -new -key key.pem -out request.pem and hit enter

    You will now be prompted for several self explanatory questions

    IMPORTANTCommon name - This *NEEDS* to be the FQDN name or IP address of your server

We now sign our own certificate by running the following command:


  • type openssl x509 -req -days 3650 -in request.pem -signkey key.pem -out certificate.pem and hit enter

    The certificate.pem is your new client certificate that will last for 10 years (3650 days)

  • type 

    cp certificate.pem asterisk.something.com.pem 

    and hit enter

    cat key.pem >> asterisk.something.com.pem

    and hit enter

    Above created a file containing the server key, a certificate, and a certificate "chain" file. 

    Noteasterisk.something.com.pem could also just be IP_Address_Of_Server.pem

Step 2 changing the Asterisk configuration


Example sip.conf


tlsbindaddr= (put your actual ip address of your box here)

 and in addition within the context of an individual phone add the tls option:


callerid="Steffen 11" <3090>


After above steps reload Asterisk


Step 3 Importing the certificate to the phone:



The Platform CA certificate 1 has a size restriction of 1536 bytes but platform the CA certificate 2 is higher at 4096 bytes.


The size restriction is for legacy software backwards compatibility so customers downgrading from 4.x.x will be able to retain the platform 1 certificate due to the fact that older software only allowed 1 custom CA certificate of size 1536 bytes.


  • We copy the newly created client certificate to the www directory on the Asterisk server via:

    cp certificate.pem /var/www/html/polycom

  • We import the certificate.pem to the phone via the Web Interface:

    import PEM certificate.PNG

    Type the source address of the certificate.pem and click on Install

  • The certificate is now imported:

    import PEM certificate_01.PNG

  • The certificate is now part of the phone configuration:


    0209142147|tls  |*|00|Saving new Custom platform CA certificate 1 
    0209142147|tls  |*|00|New Certificate Common Name '' Fingerprint 'E3:E4:08:88:23:05:DE:D1:6A:3D:21:5C:9E:03:D3:60:86:7F:24:0C'
    0209142147|tls  |*|00|No previous certificate stored

    NOTE: If the certificate cannot be hosted on a server it can be imported via the Web instead using Interface Utilities > Import & Export Configuration > Import Configuration


    <web device.set="1" 
    	device.sec.TLS.customCaCert2="-----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----" />
  • Change the Port from standard 0 (5060) to 5061

  • Change the Transport from DNSnaptr to TLS

    import PEM certificate_03.PNG

  • The change is now part of the phone configuration:

    import PEM certificate_04.PNG


Step 4 Troubleshooting using Wireshark:


  • Within Wireshark click on Edit => Preferences => Protocols => SSL => RSA keys list => Edit

    import PEM certificate_05.PNG


  • Add a New Key

    import PEM certificate_06.PNG
    IP address is the IP of the Server (Asterisk)
    Port is 5061
    Protocol is SIP
    Key file would be the key.pem file created above

  • Confirm all by Apply and OK

  • Start the Wireshark trace and reboot the phone so the handshake is captured

  • Make a call

  • Wireshark will now display the SIP messages

    import PEM certificate_07.PNG

  • Right-clicking on a TLS will allow following the SSL stream

    import PEM certificate_08.PNG

    and show the SIP messaging

    import PEM certificate_09.PNG

Step 5 Using Polycom logs to troubleshoot TLS issues


  • Set the relevant logging levels:


    Settings > Logging > Global Settings > Global Log Level Limit > Debug
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > VVX/SPIP/SSIP prior to 5.5.0 = 180
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > Trio 8300 & VVX after 5.5.0 = 1000
    Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > Trio or CCX 10240
    Settings > Logging > Module Log Level Limits > SIP > Debug
    Settings > Logging > Module Log Level Limits > TLS > Debug

  • Check the Logs:
    1206175452|sip  |2|00|MakeTlsConnection: SSL_connect OK : TLS Handshake completed successfully
    1206175452|sip  |3|00|[TLS] Validating Subject Alternative Name(s) (SAN) and Common Name (CN) against the following:
    1206175452|sip  |3|00|[TLS]            Hostname:
    1206175452|sip  |3|00|[TLS]      Outbound Proxy:
    1206175452|sip  |3|00|[TLS] Hostname connection: NONE
    1206175452|sip  |3|00|[TLS] Attempting to validate certificate Common Name (CN)
    1206175452|sip  |3|00|[TLS] Certificate Common Name matches server host: ''
    1206175452|sip  |3|00|[TLS] Server Certificate SAN or CN validation success. SSL verify result 0
    1206175452|sip  |1|00|MakeTlsConnection: post_connection_checks passed
    1206175452|sip  |3|00|MakeTlsConnection: connection succeeded





1724612.165|sip  |4|00|[TLS] Server Certificate Common Name 'name' doesn't match any of the following:
1724612.165|sip  |4|00|[TLS]            Hostname:
1724612.165|sip  |4|00|[TLS]      Outbound Proxy:
1724612.165|sip  |4|00|[TLS] Hostname connection: NONE
1724612.165|sip  |4|00|[TLS] Server Certificate SAN or CN validation failed
1724612.165|sip  |4|00|MakeTlsConnection: connection failed error 1




In the above, the Common name did not match the hostname.


We can get around this utilizing this Parameter:



This can also be set on newer versions via the Web Interface Settings > Network > TLS:



Changing the default Cypher.


By factory we currently use:



In order to change as an example the Platform Profile 1:




<web device.set="1" 





The above forces as an example TLS 1.2


Decrypting a Wireshark Trace if the Certificate cannot be shared:


Usually, if a Customer can provide a trace but cannot share the certificate used to decrypt the trace they can share the session key instead.


Following above Step 4 simply ask the Customer to go to Wireshark, select File > Export SSL Session Keys, and save the file


Then open the Customer trace and then in Wireshark  Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename, and select the exported Session Keys



If official support is required please check how to phone or open a case here

The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.


⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections