EDIT 2021-11-11:

I’ve confirmed that these instructions also work on Polycom VVX 301 and Polycom VVX 310 desk phones.

I’ve also, unfortunately, confirmed that these instructions do not work on Polycom IP Soundstation 7000 conference phones. I can’t confirm that this is the cause, but I noticed that the release notes for the latest firmware specifically call out that the IP Soundstation 7000 did not receive an OpenSSL update that was otherwise included in this firmware for all other devices.

On the Polycom IP Soundstation 7000, even after making these changes, SSL negotiation fails with the same Untrusted Certificate errors.

ORIGINAL POST:

I have a fleet of manually-configured Polycom SoundStation IP 6000 VoIP phones configured to use voip.ms as their SIP provider, using TLS for SIP registration and SRTP for voice transport.

Voip.ms uses Let’s Encrypt for TLS certificates on their SIP servers.

On September 30, 2021, as planned, the DST Root CA X3 cross-sign expired. All the phones stopped working, and I started seeing this in the logs:

1005165947|sip  |4|03|Server certificate verification failed, Untrusted Cetificate
1005165947|sip  |4|03|MakeTlsConnection: SSL_connect error 1
1005165947|sip  |4|03|MakeTlsConnection: connection failed error -1

The issue that the phones use an old version of OpenSSL (older than 1.1.0), which either:

  1. Doesn’t have the new ISRG Root X1 certificate available to it in the device’s trust store, OR
  2. Even if it does, still fails due to an incompatibility with how this version of OpenSSL verifies certificate chains. See here for details.

This was a known / expected failure for older versions of OpenSSL, but I hadn’t realized that these phones were using this older version. Sure enough, the Polycom release notes for the latest firmware version for these phones confirms that they are running OpenSSL 1.0.2, and, as such, are affected by this issue.

Because these phones are end-of-life, it’s unclear whether they’ll get a newer version of OpenSSL.

For now, to get them working, we need to do two things:

  1. Manually add the ISRG Root X1 certificate.
  2. Configure the phone to only use this certificate, not any of the other ones that it might have in its trust store.

We can do this using a configuration file.

Here is the configuration file I use to make Polycom Soundstation IP 6000 VoIP phones work with voip.ms after September 2021. You’ll notice that the ISRG Root X1 certificate is embedded – to be sure, you can go here to compare what’s in this XML file with what’s on the Let’s Encrypt website.

The configuration file also sets the SIP application to trust only this certificate, and not any of the other certificates in the device’s trust store. This is important because of the OpenSSL issue mentioned above.

It also sets SRTP as the audio transport protocol, and it sets a NAT keepalive interval that works with common routers so that incoming calls continue to work between registration intervals.

Your needs may vary based on your environment – I am not a VoIP expert by any means! If you have an expert available to you, please talk to them before taking advice from a stranger on the Internet.

I hope somebody finds this helpful!

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PHONE_CONFIG>
  <ALL
    nat.keepalive.interval="30"
    sec.srtp.offer="1"
    sec.srtp.require="1"
    sec.TLS.profileSelection.SIP="ApplicationProfile1"
    sec.TLS.profile.1.caCert.application2="0"
    sec.TLS.profile.1.caCert.application3="0"
    sec.TLS.profile.1.caCert.application4="0"
    sec.TLS.profile.1.caCert.application5="0"
    sec.TLS.profile.1.caCert.application6="0"
    sec.TLS.profile.1.caCert.application7="0"
    sec.TLS.profile.1.caCert.defaultList="0"
    sec.TLS.profile.1.caCert.platform1="0"
    sec.TLS.profile.1.caCert.platform2="0"
    voIpProt.server.1.address="sanjose1.voip.ms"
    voIpProt.server.1.port="5061"
    voIpProt.server.1.transport="TLS"
    sec.TLS.customCaCert.1="-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----"
  />
</PHONE_CONFIG>