[cisco-voip] CUCM 11.5 Tomcat Service SSL Certificate Issue
Gary Parker
G.J.Parker at lboro.ac.uk
Tue May 16 12:24:00 EDT 2017
Afternoon all, I’ve got a problem here with Jabber and CUCM SSL certificates.
Basic question: should the tomcat service on CUCM 11.5, with an installed CA root, intermediate and server certificate, be offering a full certificate chain on connection (in our case root, intermediate and server certificate) or just the server certificate?
Until recently we were operating CUCM 8.6.2 with a pair of CUP servers and Jabber clients connecting for IM&P and softphone. All servers were configured with CA provided certs and working just fine.
We recently upgraded our cluster to 11.5 and installed fresh CA certs, along with their respective root and intermediate certificates on publisher, subscribers and the two IM&P nodes. Everything is working fine except that our Jabber clients (both Mac and Windows) which now all complain that the CUCM subscribers handing out invalid certificates.
Connecting to the tomcat service on our CUCM server with 'openssl s_client -showcerts -connect <hostname:8443>’ clearly shows only the server certificate being returned. While issuing the same command against our IM&P and Unity Connection servers returns the full certificate chain.
Running the testssl script (https://testssl.sh/) against the CUCM nodes also reports 'Chain of trust - NOT ok (chain incomplete)’, while it is successful against the CUC and IM&P nodes.
I’ve raised this issue with our support provider, who has escalated to TAC. TAC report that this is expected behaviour and the fix is to install the intermediate certificate on all our clients (the root is already present as it’s a CA). This doesn’t work for me as:
- the behaviour of the tomcat service on CUCM 11.5 with SSL cert chain handling is inconsistent with industry standard practices
- while we could push out the intermediate certificates to our managed service, this still leaves potentially thousands of unmanaged machines needing the intermediate certificate (we are a large HE institution with many BYOD devices)
- we would still be in a position of having to advise users to accept an untrusted certificate, which is bad security practice
I’d really appreciate others’ experience in this area. Regardless of whether you’re running Jabber or not, do your CUCM nodes, with CA certs installed for tomcat, hand out a full certificate chain or just the server cert? My knowledge of SSL suggests that this is just plain broken, but TAC are trying to pass this off as expected behaviour.
---
/-Gary Parker----------------------------------f--\
| Unified Communications Service Manager |
n Loughborough University, IT Services |
| tel:+441509635635 sip:gary at lboro.ac.uk o
| http://delphium.lboro.ac.uk/pubkey.txt |
\r----------------------------------------------d-/
More information about the cisco-voip
mailing list