• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

T48G EOL due to missing TLS 1.2

spaxxilein

Customer
Basic Certified
Joined
Mar 24, 2020
Messages
12
Reaction score
11
Hello,

we just updated to the newest version of 3CX Server and i missed the part that 50% of our phones are Yealink T48G phones which are now EOL and cannot be auto-provisioned anymore by the server due to "missing TLS 1.2" feature.

According to the documentation of Yealink of an older update x. 81.0.110 ( https://support.yealink.com/en/portal/docDetail?documentCode=886bf0f7b16e9862 ) the phone does support TLS 1.2 with this setting:

static.security .default_ssl_ method = 5

Can somebody please explain why we are locking out a perfectly fine phone which technically supports all necessary TLS standards from being autoprovisioned?

Thanks for your help,

spaxxilein
 
Contact yealink.. it's not eol now it's been eol for a long time and it's a yealink decision not 3cx
 
Well if 3CX says they unsupported it because of missing TLS 1.2 than this is not correct and should be adjusted, because the device according to Yealink supports TLS 1.2 just fine.
 
No, you say that. The official line from yealink is that it does not support it. You just found some old doc somewhere.
 
Last edited:
Very kind responses from you - thanks for that. "You found an old document somewhere" - no i found that document in the changelog of the Yealink Firmware not in some github repository from 20 years ago - that is officially on Yealinks site for Download. Also for the Skype Firmware they specifically added a Knowledge Base for the TLS 1.2 issue - https://support.yealink.com/en/portal/knowledge/show?id=44f54dd1a5c70fac3e272c41

In that article from 2021 (very old) Yealink officially states on their own website that any version after 35.8.0.81 supports TLS 1.2 on the T48G.

I would really appreciate a nicer tone to your paying customers - which in some cases may also have a point even tough you might not think so or dont want to look into the matter. You could always tell me that i am wrong in a nice manner and may provide some evidence to support your statement.

I can just say that by obsoleting the T48G for 3CX we have basically created E-Waste because there is no way i will be able to maintain and update all the BLF - settings etc. by hand for our workers.

Best Regards
 
We also have a building full of T46G's so following this, and have also noted that security.default_ssl_method = 5 is already in our template which in theory should use TLS 1.2 according to Yealink firmware update notes.

I'm assuming that despite this, T46G will no longer function the same after the Update 5 due to TLS problems.

On the support page for T46G it gives -
Known Limitations
  1. No support for CTI via uaCSTA
  2. No direct UI login
  3. No Hot desking
  4. Incompatible with secure "SSL Transport and Ciphers" setting
  5. Unable to perform Attended Transfer when the caller is "Anonymous"

Does this mean the phones can no longer be controlled from 3CX app for CTI? (I don't know what uaCSTA is)

and 5 above, unable to perform Attended Transfer when caller is anonymous? This could be a deal breaker, if this update means our phones which previously were provisioned and fully working can no longer transfer calls where the caller is anonymous? Has anyone tested and confirm that T46G / T48G can not transfer anonymous callers after Update 5?
 
Very kind responses from you - thanks for that. "You found an old document somewhere" - no i found that document in the changelog of the Yealink Firmware not in some github repository from 20 years ago - that is officially on Yealinks site for Download. Also for the Skype Firmware they specifically added a Knowledge Base for the TLS 1.2 issue - https://support.yealink.com/en/portal/knowledge/show?id=44f54dd1a5c70fac3e272c41

In that article from 2021 (very old) Yealink officially states on their own website that any version after 35.8.0.81 supports TLS 1.2 on the T48G.

I would really appreciate a nicer tone to your paying customers - which in some cases may also have a point even tough you might not think so or dont want to look into the matter. You could always tell me that i am wrong in a nice manner and may provide some evidence to support your statement.

I can just say that by obsoleting the T48G for 3CX we have basically created E-Waste because there is no way i will be able to maintain and update all the BLF - settings etc. by hand for our workers.

Best Regards
The stock template from 3CX for T4x EOL phones has the variable already set though:
1663695524535.png


Judging by the number of support threads for broken provisioning I'm inclined to say this isn't as simple as setting that option, since people with it already set are experiencing issues.
 
Its not only related to TLS 1.2.

What you can do:

a. On the local LAN you can switch off the need for TLS 1.2 and other security checks/options in the security section in the management console. If you have your phone system properly protected by a firewall you are reasonably safe. If its on the cloud you can not use this option as you will get hacked.

1663741417784.png

b. Other way is to use manual provisioning. This should be fine because there are no new firmwares for this phone so there is no need to update it from the console. But yes options such as BLF are not easily configurable anymore.

To be clear any EOL decision is made by Yealink, not by us. We fully understand its unfortunate that phones such as 46G/48G can not be used as before. We are not party to the decision why a new firmware can not be released but I am sure there are good reasons for it.
 
Last edited:
What you can do:

a. On the local LAN you can switch off the need for TLS 1.2 in http provisioning in the security section in the management console. If you have your phone system properly protected by a firewall you are reasonably safe. If its on the cloud you can not use this option as you will get hacked.

b. Other way is to use manual provisioning. This should be fine because there are no new firmwares for this phone so there is no need to update it from the console. But yes options such as BLF are not easily configurable anymore.

To be clear any EOL decision is made by Yealink, not by us. Although we are in almost daily contact with Yealink we have reached out one more time to clarify their position to be 150% sure.

And no one, certainly not 3CX, is stopping you from contacting Yealink directly and asking for their clarification.
The stock template from 3CX for T4x EOL phones has the variable already set though:
View attachment 32001


Judging by the number of support threads for broken provisioning I'm inclined to say this isn't as simple as setting that option, since people with it already set are experiencing issues.

Hello,

thanks for the answer, we are using the phones behind an SBC which connects to our server in the datacenter. Until the last update we didnt have any problems with the T48G phones autoprovisioning in our network - everything worked flawlessly.

May I ask if you changed anything regarding the phones to block them from autoprovisioning in 3CX or if you claim that its just not working anymore. Because as your colleague stated there were numerous people who had problems already - i would suggest that they might have different problems because it worked flawlessly in our setup.

Anyway - i will contact Yealink directly and ask if there are any known issues with T48G and TLS 1.2 - maybe that will shed some light on the situation.

Regards
 
>snip<.
Because as your colleague stated there were numerous people who had problems already - i would suggest that they might have different problems because it worked flawlessly in our setup.
>snip<
Just to clarify, in case you were referring to my post above, I'm a 3CX partner not employee. I do keep an eye on the forums so I can see what issues and solutions we might run into with a new release/update, but I don't have any special info / insight other then what I experience and what I see.
 
We have reached out to yealink one more time to ask if they can make an updated firmware for these phones.
 
We have reached out to yealink one more time to ask if they can make an updated firmware for these phones.
Hello Mr. Galea,

much appretiated, hopefully they can fix their latest firmware. I have not yet received any answer to my support ticket, but i guess i am not a priority @ Yealink ;)

Regards
 
Thanks for your nice words :) I agree it's e waste that we should try to avoid!

I think all mails will help to give it a chance. I have also written personally to them.
 
Just to note that the T42G, whilst also EOL, also supports TLSv1.2. Our 3CX 18U5 has the Enable PCI compliance ticked, and tests show the web interface now only has TLSv1.2 enabled (i.e. that it does not answer the provisioning URL on either TLSv1.1 or TLSv1.0).

Phones with the most recent firmware (29.83.0.130 for the T42G) still provision correctly even after a factory reset.

Phones with older firmware (we had one in a box with 29.76.x.x) fail to provision, presumably because it does not actually support TLSv1.2 (release notes say it was introduced in 29.81.0.70). However, if we manually update the firmware to 29.83.0.130, they can also provision themselves.
 
  • Like
Reactions: ConceptsWeb
I have just updated to U5, and so far find no issues with our T46G phones. They re-provision and reboot etc from the phones menu on the admin portal. We are using 28.83.0.130 firmware and the security.default_ssl_method = 5 option to enable TLS 1.2. CTI control works from the windows app. Haven't tried factory reset to provision from scratch but for an already provisioned phone I can't find any problems so far which is good news.
 
Just to note that the T42G, whilst also EOL, also supports TLSv1.2. Our 3CX 18U5 has the Enable PCI compliance ticked, and tests show the web interface now only has TLSv1.2 enabled (i.e. that it does not answer the provisioning URL on either TLSv1.1 or TLSv1.0).

Phones with the most recent firmware (29.83.0.130 for the T42G) still provision correctly even after a factory reset.

Phones with older firmware (we had one in a box with 29.76.x.x) fail to provision, presumably because it does not actually support TLSv1.2 (release notes say it was introduced in 29.81.0.70). However, if we manually update the firmware to 29.83.0.130, they can also provision themselves.

I have just updated to U5, and so far find no issues with our T46G phones. They re-provision and reboot etc from the phones menu on the admin portal. We are using 28.83.0.130 firmware and the security.default_ssl_method = 5 option to enable TLS 1.2. CTI control works from the windows app. Haven't tried factory reset to provision from scratch but for an already provisioned phone I can't find any problems so far which is good news.
I'm assuming the provisioning is happening via local LAN and not SBC? And it's likely using a http link, not https?

1663953648866.png
 
  • Like
Reactions: Nick Galea
Yes local LAN as per your screen shot above
 
So nice programmed obsolescence, when this happens to small clients with few phones to replace it can be a commercial way to force them to change their phones, but when this is a bigger one with lots of same phones it can quickly turn into nightmare.

Companies are not ready to threw their working fine devices, each 3 or 5 years, just to please us to follow new technical rules even this is justified. they hope to use it until it's really time to become an E-waste.
 
  • Like
Reactions: consonita
It's really a question of whether Yealink should still be used at all. Such behavior is a disgrace for the customer and the environment anyway. I will certainly no longer recommend Yealink devices if there is no rethinking here. Devices used to be used for decades and worked well. Today we throw away devices after three years? It really can't be at a time like this.
 

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,635
Messages
749,002
Members
144,754
Latest member
deanhbs
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.