Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Unable to register Kerio Operator Softphone
  •  
bradleyland

Messages: 21
Karma: 0
Send a private message to this user
I am attempting to register Kerio Operator Softphone running on an iPhone 6 with iOS 9.2 installed, but am receiving a certificate error:

Quote:
Registration Error
Certificate name mismatch (503)
Reason: Certificate name mismatch


I have attached a screenshot.

Our certificate is a Comodo issued wildcard cert for our domain (*.eauctionservices.com). I am able to use the Kerio Operator web client and admin control panel without any certificate issues. It is worth noting that I had to add the intermediate certificate chain to the cert file in order to get the Kerio Operator web interface working.

Interestingly, I'm not seeing any errors on the server side. This appears to be isolated to the client. I see an auth log entry, but no other log entries.

Any help would be appreciated. I have a user traveling to Europe tomorrow and they were hoping to make WiFi calls using the softphone app.

  •  
bradleyland

Messages: 21
Karma: 0
Send a private message to this user
I ran SSL Labs' test against the server to ensure that the SSL cert is valid, and everything looks good:

https://www.ssllabs.com/ssltest/analyze.html?d=keriooperator .eauctionservices.com&hideResults=on
  •  
Brian Carmichael (Kerio)

Messages: 605
Karma: 61
Send a private message to this user
Check the Kerio Operator settings in Network -> General -> Hostname. Make sure it's set to your hostname. keriooperator.eauctionservices.com

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Brian Carmichael (Kerio)

Messages: 605
Karma: 61
Send a private message to this user
Otherwise, it might be unhappy about the wildcard certificate. You can work around it by disabling the strict checking in the app. There are instructions at the bottom of this KB article http://kb.kerio.com/product/kerio-operator/softphone-setup/c onfiguring-kerio-operator-softphone-1320.html

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
bradleyland

Messages: 21
Karma: 0
Send a private message to this user
Thanks, Brian! I had the user bypass the strict check for now (which works). Will investigate obtaining a non-wildcard cert when the user returns.
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi,

wildcard certificates can't be used with SIP, it is forbidden by RFC5922 <https://tools.ietf.org/html/rfc5922#section-7.2>. The recent version of our softphone client reflects that and requires the certificate to contain a full domain name.

Filip
  •  
bradleyland

Messages: 21
Karma: 0
Send a private message to this user
Ah, that makes sense then. Thanks, Filip.
  •  
UnifiedTechs-Brian

Messages: 164
Karma: 15
Send a private message to this user
Filip Jenicek (Kerio) wrote on Mon, 04 January 2016 02:09
Hi,

wildcard certificates can't be used with SIP, it is forbidden by RFC5922 <https://tools.ietf.org/html/rfc5922#section-7.2>. The recent version of our softphone client reflects that and requires the certificate to contain a full domain name.

Filip


This would have been a good thing to note in the announcement about the recent changes to the client, we just purchased a wildcard cert for all our hosted Operator systems. I'm rather upset Kerio has not tried to make this wider known.

Kerio needs to look into adding support for https://letsencrypt.org/ right into their products, would be a great solution for all!

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
UnifiedTechs-Brian

Messages: 164
Karma: 15
Send a private message to this user
Brian Carmichael (Kerio) wrote on Wed, 30 December 2015 19:49
Otherwise, it might be unhappy about the wildcard certificate. You can work around it by disabling the strict checking in the app. There are instructions at the bottom of this KB article http://kb.kerio.com/product/kerio-operator/softphone-setup/c onfiguring-kerio-operator-softphone-1320.html


There is no reference to strict checking anywhere in the referenced KB article.

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
skeates

Messages: 104
Karma: 0
Send a private message to this user
Just hit this problem today. Update the softphone app because of the added ability to answer calls from the lock screen, but with the current version you have also removed the option to disable TLS certificate checks.

So affectively not able to use the softphone app any longer. If sip does not support wildcard certificates then the option to at least be able to disable TLS would be good. We use wild card ssl certificates for all our clients so this is potentially a big issue for us.

./fa/4279/0/

  • Attachment: IMG_2640.PNG
    (Size: 132.82KB, Downloaded 221 times)
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
You can import Operator's self-signed certificate to your phone ( http://kb.kerio.com/product/kerio-operator/softphone-setup/c onfiguring-kerio-operator-softphone-1320.html#sect-ownssl). That's a somewhat safer alternative to disabling the TLS certificate check.

As to letsencrypt.org, we have that as an idea for future development.
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
The issue with wildcard certificates is mentioned in the KB article about softphone auto-provisioning, http://kb.kerio.com/product/kerio-operator/phone-provisionin g/provisioning-for-kerio-operator-softphone-1319.html.

The softphone auto-provisioning article is referenced from the 'Configuring Kerio Operator Softhone', http://kb.kerio.com/product/kerio-operator/softphone-setup/c onfiguring-kerio-operator-softphone-1320.html, right at the top of article.

I'll have the note about wildcard certificates appear in 'Configuring Kerio Operator Softhone' as well.


Previous Topic: Your current go to phone?
Next Topic: check sip trunk register status periodically
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Feb 28 04:13:21 CET 2017

Total time taken to generate the page: 0.01176 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.