forked from usecallmanagernz/usecallmanagernz.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtrust-verification.html
More file actions
133 lines (133 loc) · 9.87 KB
/
trust-verification.html
File metadata and controls
133 lines (133 loc) · 9.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
<!DOCTYPE html>
<html lang="en">
<head>
<title>Trust Verification</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
<link rel="shortcut icon" href="images/logo.svg">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:FILL@0..1">
<link rel="stylesheet" href="includes/theme.css">
<link rel="stylesheet" href="includes/prettify.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="includes/prettify.js"></script>
<script>
jQuery(window).on("load", function () {
prettyPrint();
});
</script>
</head>
<body>
<header>
<a href="/"><img src="images/logo.svg" alt=""></a>
<h2><<span>proxy</span>></h2><h1><span>USECALLMANAGER</span>.nz</h1><h2></<span>proxy</span>></h2>
</header>
<main>
<nav>
<ul>
<li><a href="documentation-overview.html"><span class="icon">home</span> Documentation Overview</a></li>
<li><a href="patching-asterisk.html"><span class="icon">build</span> Patching Asterisk</a></li>
<li><a href="change-log.html"><span class="icon">news</span> Change Log</a></li>
</ul>
<ul>
<li><h3>Network Configuration</h3></li>
<li><a href="dhcp-options.html"><span class="icon">settings_ethernet</span> DHCP Options</a></li>
<li><a href="http-provisioning.html"><span class="icon">file_download</span> HTTP Provisioning</a></li>
<li><a href="tftp-provisioning.html"><span class="icon">file_download</span> TFTP Provisioning</a></li>
</ul>
<ul>
<li><h3>Phone Configuration</h3></li>
<li><a href="sepmac-cnf-xml.html"><span class="icon">settings_phone</span> SEPMAC.cnf.xml</a></li>
<li><a href="dial-template.html"><span class="icon">dialpad</span> Dial Template</a></li>
<li><a href="application-dial-rules.html"><span class="icon">bluetooth</span> Application Dial Rules</a></li>
<li><a href="soft-keys.html"><span class="icon">power_input</span> Soft Keys</a></li>
<li><a href="line-keys.html"><span class="icon">format_list_bulleted</span> Line Keys</a></li>
<li><a href="feature-policy.html"><span class="icon">fact_check</span> Feature Policy</a></li>
<li><a href="network-locale.html"><span class="icon">language</span> Network Locale</a></li>
<li><a href="user-locale.html"><span class="icon">face</span> User Locale</a></li>
<li><a href="load-information.html"><span class="icon">file_upload</span> Firmware Load Information</a></li>
<li><a href="background-images.html"><span class="icon">wallpaper</span> Background Images</a></li>
<li><a href="ring-tones.html"><span class="icon">ring_volume</span> Ring Tones</a></li>
<li><a href="device-security.html"><span class="icon">security</span> Device Security</a></li>
<li><span class="icon selected">verified</span> <b>Trust Verification</b></li>
<li><a href="certificate-enrollment.html"><span class="icon">card_membership</span> Certificate Enrollment</a></li>
<li><a href="vpn-connection.html"><span class="icon">vpn_key</span> VPN Connection</a></li>
</ul>
<ul>
<li><h3>Asterisk Configuration</h3></li>
<li><a href="sip-peers.html"><span class="icon">dialer_sip</span> SIP Peers</a></li>
<li><a href="sip-notify-commands.html"><span class="icon">settings_power</span> SIP Notify Commands</a></li>
<li><a href="dialplan-extensions.html"><span class="icon">format_list_numbered</span> Dialplan Extensions</a></li>
<li><a href="call-parking.html"><span class="icon">local_parking</span> Call Parking</a></li>
<li><a href="sip-peer-options.html"><span class="icon">code</span> SIPPEER Options</a></li>
<li><a href="rtp-streaming.html"><span class="icon">volume_up</span> RTP Streaming</a></li>
<li><a href="command-line.html"><span class="icon">keyboard_arrow_right</span> Command Line</a></li>
<li><a href="freepbx-integration.html"><span class="icon">view_kanban</span> FreePBX Integration</a></li>
</ul>
<ul>
<li><h3>XML Services</h3></li>
<li><a href="phone-services.html"><span class="icon">settings</span> Phone Services</a></li>
<li><a href="cgi-execute.html"><span class="icon">phone_forwarded</span> CGI Execute</a></li>
</ul>
<ul>
<li><h3>Additional Features</h3></li>
<li><a href="as-feature-events.html"><span class="icon">extension</span> AS Feature Events</a></li>
</ul>
</nav>
<article>
<h1>Trust Verification</h1>
The Trust Verification Service (TVS) allows phones to query the validity of a certificate that is not included in <code class="literal">ITLFile.tlv</code> on demand. Certificates used for <code class="literal">CCM</code>, <code class="literal">TFTP</code>, <code class="literal">CAPF</code> and <code class="literal">APP-SERVER</code> roles can be dynamically provisioned without the phone having to re-download <code class="literal">ITLFile.tlv</code>.<br>
<br>
To enable use of TVS set <<code class="tag">address</code>> and <<code class="tag">port</code>> in <a href="sepmac-cnf-xml.html#TVS.member">SEPMAC.cnf.xml</a> and include a certificate with the <code class="literal">TVS</code> role in <code class="literal">ITLFile.tlv</code>. An archive containing the server and client utilities can be downloaded from the URL below.<br>
<br>
<a href="https://github.com/usecallmanagernz/daemons/archive/v4.2.tar.gz" download><span class="icon">file_download</span> daemons-4.2.tar.gz</a> (28K) <span class="icon">event</span> 12/12/2025 <span class="icon">security</span> SHA256:3a618bdfdd74efcf0fb36b61011b221262e1551dd82ee963963ec2b328ec3611.<br>
<br>
<h2 id="tvsctl">tvsctl <a href="#tvsctl" title="Link">link</a></h2>
The <code class="literal">tvsctl</code> utility is used to manage the database file used by <code class="literal">tvsd</code>. The following adds certificates used for <code class="literal">CCM</code> and <code class="literal">APP-SERVER</code> roles to a database file in <code class="literal">/var/lib/tvs</code>.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/asterisk/keys/asterisk.pem \
--ccm
<span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/apache2/ssl-certs/apache.pem \
--app-server</code>
<br>
Multiple roles can be assigned to a certificate and a optional TTL (time to live). If the certificate already exists in the database file the settings will be overwritten.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/asterisk/keys/asterisk.pem \
--ccm --app-server --ttl 3600</code>
<br>
Certificates can be removed from the database when no longer required. The certificate hash can be specified as prefix to match.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --remove 5dc2c141</code>
<br>
A list of certificates and roles in the database file can be shown.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> ./tvsctl /var/lib/tvs/tvs.sqlite3 --list</code>
<br>
<h2 id="tvsd">tvsd <a href="#tvsd" title="Link">link</a></h2>
The Trust Verification Service requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using <code class="literal">mkcert</code>. See <a href="device-security.html">Device Security</a> for more information.<br>
<br>
<code class="command-line"><span class="prompt">~/certutils-X.X$</span> sudo ./mkcert --common "TVS" --organization "TVS" --unit "TVS" \
/var/lib/tvs/tvs.pem</code>
<br>
Add the TVS certificate to <code class="literal">ITLFile.tlv</code> using <code class="literal">tlvfile</code> and restart phones to have them download the new version.<br>
<br>
<code class="command-line"><span class="prompt">~/certutils-X.X$</span> sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \
--tvs /var/lib/tvs/tvs.pem ...</code>
<br>
Run the daemon by specifying the path to the database file and the certificate that has the <code class="literal">TVS</code> role. <code class="literal">INSTALL.md</code> has example instructions to run the daemon as a service.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> ./tvsd /var/lib/tvs/tvs.sqlite3 --tvs /var/lib/tvs/tvs.pem</code>
<br>
<b>7900</b> series only supports TLS version 1.0, to allow connections from those phones include the <code class="literal">tlsv1</code> option.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsd ... --tlsv1</code>
<br>
<h2 id="tvsc">tvsc <a href="#tvsc" title="Link">link</a></h2>
<code class="literal">tvsc</code> is a command line client that connects to <code class="literal">tvsd</code> to query the validity of a certificate. This can be used to debug certificate verification failures.
</article>
</main>
<footer>
<span class="icon">copyright</span> Gareth Palmer and individual contributors. Documentation distributed under <a href="LICENSE">CC BY 4.0</a>.
</footer>
</body>
</html>