[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs

Brian Meade bmeade90 at vt.edu
Wed Sep 4 11:19:54 EDT 2019


Some customers of mine with Linux environments connect to the CCMAdmin
pages with the EC certs.  It's definitely a good idea to get those signed.

On Tue, Sep 3, 2019 at 11:06 PM Tim Smith <tim.smith at enject.com.au> wrote:

> Is it time to start getting our EC certs signed as well?
>
>
>
>
>
> *From: *cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of "
> cisco-voip at puck.nether.net" <cisco-voip at puck.nether.net>
> *Reply to: *"Ryan Ratliff (rratliff)" <rratliff at cisco.com>
> *Date: *Wednesday, 4 September 2019 at 1:02 pm
> *To: *Anthony Holloway <avholloway+cisco-voip at gmail.com>, "
> cisco-voip at puck.nether.net" <cisco-voip at puck.nether.net>
> *Subject: *Re: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs
>
>
>
> TCP/6972 is hosted by the TFTP service specifically for secure download of
> configuration files and firmware (HTTPS using the Callmanager-EC cert) by
> endpoints. It’s using EC because only endpoints that support strong
> encryption will use support HTTPS downloads via TFTP.
>
> TCP/6970 is for the same as HTTP
>
> TCP/6971 is for the same as HTTPS using the Tomcat certificate (for Jabber)
>
>
> None of these are intended to be used by your browser, though it works
> perfectly well for testing and troubleshooting.
>
>
>
> Ryan Ratliff
>
> Manager, Cisco Cloud Collaboration TAC
>
> Standard Business Hours: 8:00AM-5:00PM EDT
> Email: rratliff at cisco.com
>
> Office: +1 919-476-2081
>
> Mobile: +1-919-225-0448
>
> Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209
>
>
>
> *From: *cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
> Anthony Holloway <avholloway+cisco-voip at gmail.com>
> *Date: *Tuesday, September 3, 2019 at 10:03 PM
> *To: *cisco-voip list <cisco-voip at puck.nether.net>
> *Subject: *[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs
>
>
>
> So, I just ran into something interesting where someone else took care of
> the certs for a CUCM I now have access to, and while the main CCMAdmin
> pages load fine in my browser with a full chain of trust, the 6972 page(s)
> are being delivered as EC certs, which were not signed, and thus, I get a
> warning in my browser.
>
>
>
> Now, I have other CUCM deployments under my belt where the Tomcat RSA
> certs are signed and EC not, because the default setting for CUCM is to not
> use EC certs until you tell it to.  These deployments still present the RSA
> cert to me for 6972.
>
>
>
> The only difference is the SU6 part.
>
>
>
> I couldn't find anything in the release notes nor in the bug search, and
> so I'm wondering if any of you know what might be happening.
>
>
>
> I tried toggling the HTTP Ciphers from RSA only to All and back again, but
> that didn't work.
>
>
>
> I tried re-uploading the RSA cert chain, starting from root, and then back
> through the 2 intermediates (yes, three layers deep, it's a public CA
> chain).
>
>
>
> I've restarted Tomcat, I've deactivated/reactivate TFTP, I've rebooted the
> cluster, and I'm just at a loss.  It's not that big of a deal, it just
> bothers me that I don't know why it's doing this.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190904/f487b661/attachment.htm>


More information about the cisco-voip mailing list