Configuring Security Features899 EXP1024-RC4-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC4-MD5The following figure illustrates the TLS messages exchanged between the IP phone and TLSserver to establish an encrypted communication channel:Step1: IP phone sends “Client Hello” message proposing SSL options.Step2: Server responds with “Server Hello” message selecting the SSL options, sends its publickey information in “Server Key Exchange” message and concludes its part of the negotiationwith “Server Hello Done” message.Step3: IP phone sends session key information (encrypted by server’s public key) in the “ClientKey Exchange” message.Step4: Server sends “Change Cipher Spec” message to activate the negotiated options for allfuture messages it will send.IP phones can encrypt SIP with TLS, which is called SIPS. When TLS is enabled for an account, theSIP message of this account will be encrypted, and a lock icon appears on the LCD screen afterthe successful TLS negotiation.CertificatesThe IP phone can serve as a TLS client or a TLS server. The TLS requires the following securitycertificates to perform the TLS handshake: Trusted Certificate: When the IP phone requests a TLS connection with a server, the IPphone should verify the certificate sent by the server to decide whether it is trusted basedon the trusted certificates list. TheSIP-T48G/T46G/T42G/T41P/T40P/T29G/T27P/T23P/T23G/T21(P) E2/T19(P) E2 IP phone has31 built-in trusted certificates, and SIP VP-T49G/CP860 IP phone has 30 built-in trustedcertificates. You can upload 10 custom certificates at most. The format of the trustedcertificate files must be *.pem,*.cer,*.crt and *.der and the maximum file size is 5MB. Formore information on 31 trusted certificates, refer to Appendix C: Trusted Certificates onpage 986. Server Certificate: When clients request a TLS connection with the IP phone, the IP phone
