[cisco-voip] CUCM 11.5 Tomcat Service SSL Certificate Issue

Brian Meade bmeade90 at vt.edu
Tue May 16 13:57:13 EDT 2017


Do you see the full chain in just a web browser?  My experience has shown
it will show the full chain as long as you upload Root then Intermediate as
a trust then server cert so it can find the full chain.  Older versions had
you manually specify the root cert when uploading but now this is searched
for automatically.

On Tue, May 16, 2017 at 12:24 PM, Gary Parker <G.J.Parker at lboro.ac.uk>
wrote:

> Afternoon all, I’ve got a problem here with Jabber and CUCM SSL
> certificates.
>
> Basic question: should the tomcat service on CUCM 11.5, with an installed
> CA root, intermediate and server certificate, be offering a full
> certificate chain on connection (in our case root, intermediate and server
> certificate) or just the server certificate?
>
> Until recently we were operating CUCM 8.6.2 with a pair of CUP servers and
> Jabber clients connecting for IM&P and softphone. All servers were
> configured with CA provided certs and working just fine.
>
> We recently upgraded our cluster to 11.5 and installed fresh CA certs,
> along with their respective root and intermediate certificates on
> publisher, subscribers and the two IM&P nodes. Everything is working fine
> except that our Jabber clients (both Mac  and Windows) which now all
> complain that the CUCM subscribers handing out invalid certificates.
>
> Connecting to the tomcat service on our CUCM server with 'openssl s_client
> -showcerts -connect <hostname:8443>’ clearly shows only the server
> certificate being returned. While issuing the same command against our IM&P
> and Unity Connection servers returns the full certificate chain.
>
> Running the testssl script (https://testssl.sh/) against the CUCM nodes
> also reports 'Chain of trust - NOT ok (chain incomplete)’, while it is
> successful against the CUC and IM&P nodes.
>
> I’ve raised this issue with our support provider, who has escalated to
> TAC. TAC report that this is expected behaviour and the fix is to install
> the intermediate certificate on all our clients (the root is already
> present as it’s a CA). This doesn’t work for me as:
>
> - the behaviour of the tomcat service on CUCM 11.5 with SSL cert chain
> handling is inconsistent with industry standard practices
>
> - while we could push out the intermediate certificates to our managed
> service, this still leaves potentially thousands of unmanaged machines
> needing the intermediate certificate (we are a large HE institution with
> many BYOD devices)
>
> - we would still be in a position of having to advise users to accept an
> untrusted certificate, which is bad security practice
>
> I’d really appreciate others’ experience in this area. Regardless of
> whether you’re running Jabber or not, do your CUCM nodes, with CA certs
> installed for tomcat, hand out a full certificate chain or just the server
> cert? My knowledge of SSL suggests that this is just plain broken, but TAC
> are trying to pass this off as expected behaviour.
>
>
> ---
> /-Gary Parker----------------------------------f--\
> |     Unified Communications Service Manager      |
> n      Loughborough University, IT Services       |
> |     tel:+441509635635 sip:gary at lboro.ac.uk      o
> |     http://delphium.lboro.ac.uk/pubkey.txt      |
> \r----------------------------------------------d-/
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170516/a922694a/attachment.html>


More information about the cisco-voip mailing list