Provisioning server redirects to HTTPS

Discussion in '3CX Phone System - General' started by JonnyM, Jul 9, 2017.

Thread Status:
Not open for further replies.
  1. JonnyM

    Joined:
    May 17, 2010
    Messages:
    77
    Likes Received:
    5
    I am using Polycom IP450 and IP6000/IP7000 phones on 3CX 15.5, on Linux deployed in VMware.

    When provisioning these phones I am giving them the provisioning URL displayed in the 3CX UI via DHCP - in my case this is http://fqdn:5000/provisioning/<string>. If I try and browse to a config file at this address, the client is redirected to https://fqdn:5000/provisioning/<string>/file.ext.

    HTTPS isn't running on port 5000 - it's port 5001, so the attempt to grab the file fails. Is this a bug or a misconfiguration somewhere?
     
  2. SECOIT GmbH

    Joined:
    Apr 3, 2017
    Messages:
    63
    Likes Received:
    18
    Hi Jonny,

    It's a security feature of 3CX PBX in connection with modern browsers.
    When contacting the 3CX PBX the webserver is configured by 3CX to send this header: strict-transport-security:"max-age=15768000"
    This header instructs your browser to always use https for the next 15768000 seconds. You can add the port 5000 or leave it - it won't make a difference if you contacted the 3CX PBX on that hostname before so your browser will always use https in the next 182 days.

    Three workarounds:
    1. use a different browser that has NOT accessed the https://fqdn:5001 before
    2. use http://ip-address:5000
    3. Remove HSTS entries
    chrome: browse to chrome://net-internals/#hsts and delete fqdn
    firefox: open your profile on the file system, find the file SiteSecurityServiceState.txt, delete all entries related tofqdn

    Hope that helps.
    Michael
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. EdanBrooke

    Joined:
    Jul 2, 2017
    Messages:
    12
    Likes Received:
    0
    Hi JonnyM,

    Looks like @SECOIT GmbH 's response has answered your question, but I wonder if it's worth provisioning your phone via HTTPS anyway, as opposed to HTTP? Do your phones support provision via HTTPS?

    Kind regards,
    Edan Brooke
     
  4. JonnyM

    Joined:
    May 17, 2010
    Messages:
    77
    Likes Received:
    5
    Just to provide some closure on this one, I needed to rebuild my 3CX instance anyway, and went with an internal FQDN for internal clients (HTTP), and let 3CX create a Let's Encrypt cert for external access. I believe this is how the 3CX team planned for stuff to be deployed, and once I'd made sure the phones were being provisioned via the internal URL and removed the DNS for my external address, it's all working a lot better.
     
Thread Status:
Not open for further replies.