[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs
Anthony Holloway
avholloway+cisco-voip at gmail.com
Wed Sep 4 12:09:20 EDT 2019
Thanks Ryan. When did this change exactly? I have been using 6972 for
pulling jabber-config.xml (and other TFTP files) off of the TFTP server for
a few years now, and this is the first time I've seen an EC cert presented
to me.
On Tue, Sep 3, 2019 at 10:02 PM Ryan Ratliff (rratliff) <rratliff at cisco.com>
wrote:
> TCP/6972 is hosted by the TFTP service specifically for secure download of
> configuration files and firmware (HTTPS using the Callmanager-EC cert) by
> endpoints. It’s using EC because only endpoints that support strong
> encryption will use support HTTPS downloads via TFTP.
>
> TCP/6970 is for the same as HTTP
>
> TCP/6971 is for the same as HTTPS using the Tomcat certificate (for Jabber)
>
>
> None of these are intended to be used by your browser, though it works
> perfectly well for testing and troubleshooting.
>
>
>
> Ryan Ratliff
>
> Manager, Cisco Cloud Collaboration TAC
>
> Standard Business Hours: 8:00AM-5:00PM EDT
> Email: rratliff at cisco.com
>
> Office: +1 919-476-2081
>
> Mobile: +1-919-225-0448
>
> Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209
>
>
>
> *From: *cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
> Anthony Holloway <avholloway+cisco-voip at gmail.com>
> *Date: *Tuesday, September 3, 2019 at 10:03 PM
> *To: *cisco-voip list <cisco-voip at puck.nether.net>
> *Subject: *[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs
>
>
>
> So, I just ran into something interesting where someone else took care of
> the certs for a CUCM I now have access to, and while the main CCMAdmin
> pages load fine in my browser with a full chain of trust, the 6972 page(s)
> are being delivered as EC certs, which were not signed, and thus, I get a
> warning in my browser.
>
>
>
> Now, I have other CUCM deployments under my belt where the Tomcat RSA
> certs are signed and EC not, because the default setting for CUCM is to not
> use EC certs until you tell it to. These deployments still present the RSA
> cert to me for 6972.
>
>
>
> The only difference is the SU6 part.
>
>
>
> I couldn't find anything in the release notes nor in the bug search, and
> so I'm wondering if any of you know what might be happening.
>
>
>
> I tried toggling the HTTP Ciphers from RSA only to All and back again, but
> that didn't work.
>
>
>
> I tried re-uploading the RSA cert chain, starting from root, and then back
> through the 2 intermediates (yes, three layers deep, it's a public CA
> chain).
>
>
>
> I've restarted Tomcat, I've deactivated/reactivate TFTP, I've rebooted the
> cluster, and I'm just at a loss. It's not that big of a deal, it just
> bothers me that I don't know why it's doing this.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190904/f8518cbd/attachment.htm>
More information about the cisco-voip
mailing list