[cisco-voip] UCCX and TLS versions

Abhiram Kramadhati (akramadh) akramadh at cisco.com
Wed Aug 31 20:55:30 EDT 2016 

Hi Kevin,

There is a defect tracking this: CSCva68233, and we hope to fix this in 11.6. Once done, we can evaluate if it can be back ported. Could you share the TAC case number so that I can add a note in the case?

Regards,
Abhiram Kramadhati
Technical Solutions Manager, CCBU
CCIE Collaboration # 40065

From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of "Damisch, Kevin" <Kevin.Damisch at oneneck.com<mailto:Kevin.Damisch at oneneck.com>>
Date: Wednesday, 31 August 2016 at 11:45 PM
To: "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] UCCX and TLS versions

Customer is running UCCX 10.6(1).  We have some "HTTP Request" actions within a Finesse workflow that points to one of the customer's internal web servers.  Looking at the packet capture taken from UCCX when this workflow runs, we can see UCCX sending the https request with a TLS 1.0 hello packet.  The customer's web server then replies with a TLS handshake error because it only supports TLS 1.1 or higher.  We also noticed the same thing occurring with a custom gadget in the Finesse desktop layout, which points to a web server handled by an F5 load balancer.  The F5 rejects it with the same TLS handshake error.

Other than having the customer enable TLS 1.0 on their servers, what options do we have on the UCCX side?  Does UCCX 11.x still send TLS 1.0 on http requests?  I've had a TAC case open for a while and don't have an answer yet.  Just to be clear, I'm aware of the forum posts out there about verifying the TLS version with IE and Firefox.  That isn't what I'm talking about.  I'm not talking about using a browser to get *to* UCCX.  I'm talking about UCCX *sourcing* the https request, such as in a workflow action, destined for another web server.  That is the direction where we are seeing UCCX send TLS 1.0 hello packets that we want and need to be TLS 1.1 or higher to satisfy the customer's security requirements.

Thanks!
Kevin Damisch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160901/a83ada62/attachment.html>

More information about the cisco-voip mailing list