Generate server certificate on Yealink T-22P IP phone to work with VPN

Domain: www.fqdn.com [anonymized]
Web server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
OS my web server runs on: CentOS 7

$ uname -ro
3.10.0-1127.19.1.el7.x86_64 GNU/Linux
$
FreePBX 15.0.17.24 all modules up to date / pfSense 2.5.0 firewall
Hosting provider: N/A
Login to root shell via ssh

I’ve been trying without success to set up VPN with a Yealink T-22P on FreePBX as I explain in the following post:

The T-22P is an old phone long discontinued but I thought I would try Yealink support. They recommended the following:

In the vpn.cnf file, I found that you would like to use SHA256, but T22P is too old to support that. I think “cipher AES-128-CBC” is not supported either.

Please try lower encryption methods, such as MD5 or SHA1. You will need to change the settings on the server side, and rebuild the CAs

I’m looking for guidance on how to “change the settings on the server side and rebuild the CA’s”. Can someone assist to get me started? Thanks.

Hi @HawkMcDuck,

I don't understand exactly what Yealink means by "rebuild the CAs" either. However, Let's Encrypt (and all publicly-trusted CAs for the web) is no longer allowed to issue certificates using MD5 or SHA-1. This is a strictly-enforced industry-wide policy. So, if the device really requires certificates with SHA-1, you would probably need to create your own private/internal certificate authority (which can then issue certificates using obsolete cryptographic algorithms), and then figure out how to get this device to trust your CA, probably by importing your own root certificate.

3 Likes

@schoen Thanks for your reply. I guess your analysis pretty much closes the issue!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.