[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs

Ryan Ratliff (rratliff) rratliff at cisco.com
Wed Sep 4 14:05:05 EDT 2019 

Remember the cert presentation in a TLS setup happens after the server knows the client’s capabilities.

Try with a browser or ssl client that doesn’t support EC and see if you get the RSA cert.

Ryan Ratliff
Manager, Cisco Cloud Collaboration TAC
Standard Business Hours: 8:00AM-5:00PM EDT
Email: rratliff at cisco.com
Office: +1 919-476-2081
Mobile: +1-919-225-0448
Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209

From: Brian Meade <bmeade90 at vt.edu>
Date: Wednesday, September 4, 2019 at 1:59 PM
To: Anthony Holloway <avholloway+cisco-voip at gmail.com>
Cc: Tim Smith <tim.smith at enject.com.au>, Ryan Ratliff <rratliff at cisco.com>, cisco-voip list <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs

This was on an 11.5 cluster without that setting changed from default.  I'm wondering if that setting doesn't potentially change it everywhere.

On Wed, Sep 4, 2019 at 12:18 PM Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>> wrote:
So Brian, you (or someone) has then changed the HTTPS Ciphers Enterprise Parameter to use EC certs then?  Because that's not the default setting.

On Wed, Sep 4, 2019 at 10:20 AM Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
Some customers of mine with Linux environments connect to the CCMAdmin pages with the EC certs.  It's definitely a good idea to get those signed.

On Tue, Sep 3, 2019 at 11:06 PM Tim Smith <tim.smith at enject.com.au<mailto:tim.smith at enject.com.au>> wrote:
Is it time to start getting our EC certs signed as well?


From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Reply to: "Ryan Ratliff (rratliff)" <rratliff at cisco.com<mailto:rratliff at cisco.com>>
Date: Wednesday, 4 September 2019 at 1:02 pm
To: Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>>, "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs

TCP/6972 is hosted by the TFTP service specifically for secure download of configuration files and firmware (HTTPS using the Callmanager-EC cert) by endpoints. It’s using EC because only endpoints that support strong encryption will use support HTTPS downloads via TFTP.
TCP/6970 is for the same as HTTP
TCP/6971 is for the same as HTTPS using the Tomcat certificate (for Jabber)

None of these are intended to be used by your browser, though it works perfectly well for testing and troubleshooting.

Ryan Ratliff
Manager, Cisco Cloud Collaboration TAC
Standard Business Hours: 8:00AM-5:00PM EDT
Email: rratliff at cisco.com<mailto:rratliff at cisco.com>
Office: +1 919-476-2081
Mobile: +1-919-225-0448
Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209

From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>>
Date: Tuesday, September 3, 2019 at 10:03 PM
To: cisco-voip list <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs

So, I just ran into something interesting where someone else took care of the certs for a CUCM I now have access to, and while the main CCMAdmin pages load fine in my browser with a full chain of trust, the 6972 page(s) are being delivered as EC certs, which were not signed, and thus, I get a warning in my browser.

Now, I have other CUCM deployments under my belt where the Tomcat RSA certs are signed and EC not, because the default setting for CUCM is to not use EC certs until you tell it to.  These deployments still present the RSA cert to me for 6972.

The only difference is the SU6 part.

I couldn't find anything in the release notes nor in the bug search, and so I'm wondering if any of you know what might be happening.

I tried toggling the HTTP Ciphers from RSA only to All and back again, but that didn't work.

I tried re-uploading the RSA cert chain, starting from root, and then back through the 2 intermediates (yes, three layers deep, it's a public CA chain).

I've restarted Tomcat, I've deactivated/reactivate TFTP, I've rebooted the cluster, and I'm just at a loss.  It's not that big of a deal, it just bothers me that I don't know why it's doing this.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190904/aa6822a1/attachment.htm>

More information about the cisco-voip mailing list