[cisco-voip] cnf.xml.sgn for non-secure cluster?

Ed Leatherman ealeatherman at gmail.com
Mon May 21 16:35:19 EDT 2012


Per my understanding, being on CUCM 8+ implies security-by-default is in
use and your phone is going to get an ITL file and thus request signed
config files:

https://supportforums.cisco.com/docs/DOC-17679

Security By Default provides these three functions for supported IP Phones:

   1. Default authentication of TFTP downloaded files (configuration,
   locale, ringlist, etc) using a signing key.
   2. Optional encryption of TFTP configuration files using a signing key.
   3. Certificate verification for phone initiated HTTPS connections using
   a remote certificate trust store on Communications Manager (Trust
   Verification Service).


On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:

>  My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to
> the TVS web service (not related to cluster mixed mode as https web
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my
> question still stands: how come the phone requests a signed file if the
> cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
>  My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on it
> will always request a signed configuration file, unless the CTL or ITL
> files are manually deleted from the phone. If i'm incorrect hopefully
> someone will chime in :)
>
>  Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
>
>> Hello everyone
>>
>>  Anyone know how a phone detects if it needs to download a signed or
>> unsigned configuration file?
>>
>>  I have a few phones that keep requesting signed file even though the
>> cluster is not in mixed mode and I cannot identify why they behave this
>> way. Does the ITL file contain information about the cluster security mode?
>>
>>  The phone logs say that the TFTP server is secure and keep trying for
>> the cnf.xml.sgn files. Where does it get this information?
>>
>>  Thank for any input.
>>
>>  Regards.
>>  Ovidiu
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
>  --
> Ed Leatherman
>
>
>


-- 
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120521/ed582d73/attachment.html>


More information about the cisco-voip mailing list