[cisco-voip] Field Notice from Cisco making Secure LDAP mandatory

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Feb 14 10:17:27 EST 2020


Well, slap my ass and call me Sally.  I change an existing secure LDAP
setup from FQDN to IP Address and it still works.

I'd be curious to know why it functions this way.  Seems like an
opportunity to exploit the Authentication facet of SSL.

*"In addition to encryption, a proper SSL certificate also provides
authentication. This means you can be sure that you are sending information
to the right server and not to an imposter trying to steal your
information."*

Source: Why SSL? The Purpose of using SSL Certificates
<https://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html>

On Thu, Feb 13, 2020 at 1:32 PM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> That's interesting to know.  How did you learn that?
>
> On Thu, Feb 13, 2020 at 12:30 PM Brian Meade <bmeade90 at vt.edu> wrote:
>
>> CUCM doesn't check the names, just that the chain is trusted.
>>
>> On Sun, Feb 9, 2020 at 5:23 PM Matthew Loraditch <
>> MLoraditch at heliontechnologies.com> wrote:
>>
>>> Interesting. Our root cert is and has been loaded, but I’m still using
>>> just the IPs so normally that would make the handshake fail.
>>>
>>> Get Outlook for iOS <https://aka.ms/o0ukef>
>>>
>>> Matthew Loraditch​
>>> Sr. Network Engineer
>>> p: *443.541.1518* <443.541.1518>
>>> w: *www.heliontechnologies.com* <http://www.heliontechnologies.com/>  |
>>> e: *MLoraditch at heliontechnologies.com*
>>> <MLoraditch at heliontechnologies.com>
>>> [image: Helion Technologies] <http://www.heliontechnologies.com/>
>>> [image: Facebook] <https://facebook.com/heliontech>
>>> [image: Twitter] <https://twitter.com/heliontech>
>>> [image: LinkedIn] <https://www.linkedin.com/company/helion-technologies>
>>> ------------------------------
>>> *From:* Lelio Fulgenzi <lelio at uoguelph.ca>
>>> *Sent:* Sunday, February 9, 2020 5:15:40 PM
>>> *To:* Matthew Loraditch <MLoraditch at heliontechnologies.com>
>>> *Cc:* James Buchanan <james.buchanan2 at gmail.com>; voyp list, cisco-voip
>>> (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
>>> *Subject:* Re: [cisco-voip] Field Notice from Cisco making Secure LDAP
>>> mandatory
>>>
>>>
>>> [EXTERNAL]
>>>
>>>
>>> I couldn’t get secure ldap to work without loading the certificates from
>>> the AD servers. I also had more luck using the global catalog ports.
>>>
>>> Sent from my iPhone
>>>
>>> On Feb 9, 2020, at 5:05 PM, Matthew Loraditch <
>>> MLoraditch at heliontechnologies.com> wrote:
>>>
>>> I was wondering if they were going to post anything as it’s very unclear
>>> if ldap over tls was the fix.
>>>
>>> Apparently (and amen) it is. Did it on our office system last week to
>>> see if it would work without any certificate needs. It just worked and
>>> during a save it will instantly tell you if it worked or not.
>>>
>>> Outside of the most regimented environments you should be able to just
>>> make the change. If it fails talk to your AD team as they would likely have
>>> something blocked or disabled.
>>>
>>> Get Outlook for iOS <https://aka.ms/o0ukef>
>>>
>>> Matthew Loraditch​
>>> Sr. Network Engineer
>>> p: *443.541.1518* <443.541.1518>
>>> w: *www.heliontechnologies.com* <http://www.heliontechnologies.com/>  |
>>> e: *MLoraditch at heliontechnologies.com*
>>> <MLoraditch at heliontechnologies.com>
>>> <image502755.png> <http://www.heliontechnologies.com/>
>>> <image552534.png> <https://facebook.com/heliontech>
>>> <image068119.png> <https://twitter.com/heliontech>
>>> <image315640.png> <https://www.linkedin.com/company/helion-technologies>
>>> <image132003.jpg>
>>> ------------------------------
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>>> James Buchanan <james.buchanan2 at gmail.com>
>>> *Sent:* Sunday, February 9, 2020 4:57:40 PM
>>> *To:* voyp list, cisco-voip (cisco-voip at puck.nether.net) <
>>> cisco-voip at puck.nether.net>
>>> *Subject:* [cisco-voip] Field Notice from Cisco making Secure LDAP
>>> mandatory
>>>
>>>
>>> [EXTERNAL]
>>>
>>> Hello folks,
>>>
>>> I know you all needed some more work. I sure did! So here you are!
>>>
>>>
>>> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/trouble/12_5_1/fieldNotice/cucm_b_fn-secure-ldap-mandatory-ad.html
>>>
>>>
>>> I'm interested in any early thoughts on other integrations--vCenter,
>>> ISE, VPN, TACACS, etc. I assume it applies across the board.
>>>
>>> Thanks,
>>>
>>> James
>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200214/e3c31f5c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image367180.png
Type: image/png
Size: 9409 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200214/e3c31f5c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image755198.png
Type: image/png
Size: 431 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200214/e3c31f5c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image389775.png
Type: image/png
Size: 561 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200214/e3c31f5c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image921900.png
Type: image/png
Size: 444 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200214/e3c31f5c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image157220.jpg
Type: image/jpeg
Size: 19523 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200214/e3c31f5c/attachment.jpg>


More information about the cisco-voip mailing list